tree-wide: convert everything from morph to nixinate + sops-nix
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
This commit is contained in:
parent
17b2602c2a
commit
320b97d660
1
.prettierignore
Normal file
1
.prettierignore
Normal file
|
@ -0,0 +1 @@
|
|||
secrets/sops/**
|
35
.sops.yaml
Normal file
35
.sops.yaml
Normal file
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
keys:
|
||||
- &christoph_trek age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
- &christoph_zero age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
# generate with: `ssh <machine> 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' | nix run nixpkgs#ssh-to-age`
|
||||
- &machine_tank age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
|
||||
- &machine_fort age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
|
||||
- &machine_zero age1xdd0mzt7mhr30rzvt34ygxurlvdvs53svg7lxd6843lx83vy0guqew578d
|
||||
|
||||
creation_rules:
|
||||
- path_regex: secrets/sops/(acme|restic)\.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *christoph_trek
|
||||
- *christoph_zero
|
||||
- *machine_tank
|
||||
- *machine_fort
|
||||
- path_regex: secrets/sops/(grafana|home-assistant|navidrome|sourcehut|tank|vaultwarden)\.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *christoph_trek
|
||||
- *christoph_zero
|
||||
- *machine_tank
|
||||
- path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|wireguard)\.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *christoph_trek
|
||||
- *christoph_zero
|
||||
- *machine_fort
|
||||
- path_regex: secrets/sops/zero\.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *christoph_trek
|
||||
- *christoph_zero
|
||||
- *machine_zero
|
10
README.md
10
README.md
|
@ -30,14 +30,6 @@
|
|||
|
||||
- `system/home-manager`: home-manager configuration.
|
||||
|
||||
### Notable files
|
||||
|
||||
- `default.nix`: Morph deployment definitions
|
||||
|
||||
- `flake.nix`: Nix development shell definition
|
||||
|
||||
- `sources.nix`: Contains all Nix package/module source definitions
|
||||
|
||||
## Hacking
|
||||
|
||||
`nix develop` will provide an ephemeral shell with all tools needed.
|
||||
|
@ -48,4 +40,4 @@ The code is released into the public domain.
|
|||
|
||||
Other conditions apply to the following files:
|
||||
|
||||
- `extra/sway/background.png`: [Photo](https://unsplash.com/photos/wQLAGv4_OYs) by [Lucas Kapla](https://unsplash.com/@aznbokchoy), [Unsplash License](https://unsplash.com/license)
|
||||
- `pkgs/sway-background-image/background.jpg`: [Photo](https://unsplash.com/photos/wQLAGv4_OYs) by [Lucas Kapla](https://unsplash.com/@aznbokchoy), [Unsplash License](https://unsplash.com/license)
|
||||
|
|
42
default.nix
42
default.nix
|
@ -1,42 +0,0 @@
|
|||
let
|
||||
inherit (import ./sources.nix) defaultPkgs overlays;
|
||||
|
||||
pkgs = import defaultPkgs { inherit overlays; };
|
||||
inherit (pkgs) lib;
|
||||
|
||||
mkMachine = name:
|
||||
{ tags, pkgs ? null }:
|
||||
{ config, ... }: {
|
||||
_module.args = {
|
||||
machineName = "${name}.c8h4.io";
|
||||
my = import ./secrets/my.nix;
|
||||
inherit (config.deployment) secrets;
|
||||
};
|
||||
imports = [ (./machines + "/${name}.nix") ./modules ];
|
||||
nixpkgs.pkgs = lib.mkIf (pkgs != null) pkgs;
|
||||
deployment = {
|
||||
substituteOnDestination = true;
|
||||
inherit tags;
|
||||
};
|
||||
};
|
||||
|
||||
machines = {
|
||||
back = { tags = [ "external" "server" "baremetal" ]; };
|
||||
fort = { tags = [ "external" "server" "vm" ]; };
|
||||
tank = {
|
||||
tags = [ "homelab" "server" "baremetal" ];
|
||||
pkgs = import defaultPkgs {
|
||||
inherit overlays;
|
||||
# https://nixos.wiki/wiki/Home-assistant#OpenSSL_1.1_is_marked_as_insecure.2C_refusing_to_evaluate
|
||||
config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
|
||||
};
|
||||
};
|
||||
trek = { tags = [ "desktop" ]; };
|
||||
zero = { tags = [ "desktop" ]; };
|
||||
};
|
||||
in {
|
||||
network = {
|
||||
inherit pkgs;
|
||||
description = "c8h4.io infrastructure";
|
||||
};
|
||||
} // (builtins.mapAttrs mkMachine machines)
|
188
flake.lock
188
flake.lock
|
@ -1,5 +1,37 @@
|
|||
{
|
||||
"nodes": {
|
||||
"blobs": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1604995301,
|
||||
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1668681692,
|
||||
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
|
@ -65,6 +97,43 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixinate": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1708891350,
|
||||
"narHash": "sha256-VOQrKK7Df/IVuNki+NshVuGkTa/Tw0GigPjWcZff6kk=",
|
||||
"owner": "MatthewCroughan",
|
||||
"repo": "nixinate",
|
||||
"rev": "452f33c60df5b72ad0858f5f2cf224bdf1f17746",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "MatthewCroughan",
|
||||
"repo": "nixinate",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1714465198,
|
||||
"narHash": "sha256-ySkEJvS0gPz2UhXm0H3P181T8fUxvDVcoUyGn0Kc5AI=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "refs/heads/master",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1714514312,
|
||||
|
@ -82,15 +151,119 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-22_11": {
|
||||
"locked": {
|
||||
"lastModified": 1669558522,
|
||||
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-22.11",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-23_05": {
|
||||
"locked": {
|
||||
"lastModified": 1684782344,
|
||||
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-23.05",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-sourcehut": {
|
||||
"locked": {
|
||||
"lastModified": 1712771850,
|
||||
"narHash": "sha256-Wb/xWLVSi5rZCRna2IUs43NVdquTlaQ/YNyx2IU79SQ=",
|
||||
"owner": "christoph-heiss",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6729c6c653f17a5f9f1dcf5439d3e98652406042",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "christoph-heiss",
|
||||
"ref": "refs/heads/sourcehut-fix",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6729c6c653f17a5f9f1dcf5439d3e98652406042",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"home-manager": "home-manager",
|
||||
"nixgl": "nixgl",
|
||||
"nixinate": "nixinate",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-sourcehut": "nixpkgs-sourcehut",
|
||||
"simple-nixos-mailserver": "simple-nixos-mailserver",
|
||||
"sops-nix": "sops-nix",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
}
|
||||
},
|
||||
"simple-nixos-mailserver": {
|
||||
"inputs": {
|
||||
"blobs": "blobs",
|
||||
"flake-compat": "flake-compat",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-22_11": "nixpkgs-22_11",
|
||||
"nixpkgs-23_05": "nixpkgs-23_05",
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1689976554,
|
||||
"narHash": "sha256-uWJq3sIhkqfzPmfB2RWd5XFVooGFfSuJH9ER/r302xQ=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "nixos-mailserver",
|
||||
"rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"ref": "refs/heads/master",
|
||||
"repo": "nixos-mailserver",
|
||||
"rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713668495,
|
||||
"narHash": "sha256-4BvlfPfyUmB1U0r/oOF6jGEW/pG59c5yv6PJwgucTNM=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "09f1bc8ba3277c0f052f7887ec92721501541938",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"ref": "refs/heads/master",
|
||||
"repo": "sops-nix",
|
||||
"rev": "09f1bc8ba3277c0f052f7887ec92721501541938",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
|
@ -125,6 +298,21 @@
|
|||
"repo": "treefmt-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
"locked": {
|
||||
"lastModified": 1605370193,
|
||||
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
|
166
flake.nix
166
flake.nix
|
@ -17,6 +17,28 @@
|
|||
rev = "2b87a11125f988a9f67ee63eeaa3682bc841d9b5"; # 06-05-2024
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
nixos-hardware = {
|
||||
type = "github";
|
||||
owner = "NixOS";
|
||||
repo = "nixos-hardware";
|
||||
ref = "refs/heads/master";
|
||||
rev = "68d680c1b7c0e67a9b2144d6776583ee83664ef4"; # 30-04-2024
|
||||
};
|
||||
nixpkgs-sourcehut = {
|
||||
type = "github";
|
||||
owner = "christoph-heiss";
|
||||
repo = "nixpkgs";
|
||||
ref = "refs/heads/sourcehut-fix";
|
||||
rev = "6729c6c653f17a5f9f1dcf5439d3e98652406042";
|
||||
};
|
||||
simple-nixos-mailserver = {
|
||||
type = "gitlab";
|
||||
owner = "simple-nixos-mailserver";
|
||||
repo = "nixos-mailserver";
|
||||
ref = "refs/heads/master";
|
||||
rev = "c63f6e7b053c18325194ff0e274dba44e8d2271e"; # 21-07-2023
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
nixgl = {
|
||||
type = "github";
|
||||
owner = "guibou";
|
||||
|
@ -31,10 +53,24 @@
|
|||
url = "github:numtide/treefmt-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
nixinate = {
|
||||
url = "github:MatthewCroughan/nixinate";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
sops-nix = {
|
||||
type = "github";
|
||||
owner = "Mic92";
|
||||
repo = "sops-nix";
|
||||
ref = "refs/heads/master";
|
||||
rev = "09f1bc8ba3277c0f052f7887ec92721501541938"; # 21-04-2024
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
inputs.nixpkgs-stable.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs =
|
||||
{ self, nixpkgs, home-manager, nixgl, flake-utils, treefmt-nix, ... }:
|
||||
outputs = { self, nixpkgs, home-manager, nixos-hardware, nixpkgs-sourcehut
|
||||
, simple-nixos-mailserver, nixgl, flake-utils, treefmt-nix, nixinate
|
||||
, sops-nix }:
|
||||
flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system:
|
||||
let
|
||||
pkgs = import nixpkgs { inherit system; };
|
||||
|
@ -43,69 +79,23 @@
|
|||
treefmt = treefmt-nix.lib.evalModule pkgs {
|
||||
projectRootFile = "flake.nix";
|
||||
programs = {
|
||||
nixfmt.enable = true;
|
||||
stylua.enable = true;
|
||||
statix.enable = true;
|
||||
deadnix.enable = true;
|
||||
nixfmt.enable = true;
|
||||
prettier.enable = true;
|
||||
shellcheck.enable = true;
|
||||
statix.enable = true;
|
||||
stylua.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
mkMorphDeploy = selector: name:
|
||||
pkgs.writeShellScript "deploy-${selector}-${name}" ''
|
||||
set -x
|
||||
${pkgs.morph}/bin/morph deploy --show-trace --passwd --${selector} "${name}" ./default.nix switch
|
||||
'';
|
||||
|
||||
mkMorphBuild = selector: name:
|
||||
pkgs.writeShellScript "build-${selector}-${name}" ''
|
||||
set -x
|
||||
${pkgs.morph}/bin/morph build --show-trace --${selector} "${name}" ./default.nix
|
||||
'';
|
||||
|
||||
mkMorphUploadSecrets = selector: name:
|
||||
pkgs.writeShellScript "deploy-${selector}-${name}" ''
|
||||
set -x
|
||||
${pkgs.morph}/bin/morph upload-secrets --show-trace --passwd --${selector} "${name}" ./default.nix
|
||||
'';
|
||||
|
||||
mkHomeManagerFlake = name:
|
||||
pkgs.writeShellScript "hm-flake-${name}" ''
|
||||
set -x
|
||||
${pkgs.home-manager}/bin/home-manager switch --flake .#${name} -b bak
|
||||
'';
|
||||
|
||||
machines = [ "back" "fort" "tank" "trek" "zero" ];
|
||||
tags = [ "baremetal" "desktop" "external" "homelab" "server" "vm" ];
|
||||
in {
|
||||
apps = (builtins.listToAttrs (map (name: {
|
||||
inherit name;
|
||||
value = {
|
||||
type = "app";
|
||||
program = "${mkMorphDeploy "on" name}";
|
||||
};
|
||||
}) machines)) // {
|
||||
tags = builtins.listToAttrs (map (name: {
|
||||
inherit name;
|
||||
value = {
|
||||
type = "app";
|
||||
program = "${mkMorphDeploy "tagged" name}";
|
||||
};
|
||||
}) tags);
|
||||
build = builtins.listToAttrs (map (name: {
|
||||
inherit name;
|
||||
value = {
|
||||
type = "app";
|
||||
program = "${mkMorphBuild "on" name}";
|
||||
};
|
||||
}) machines);
|
||||
upload-secrets = builtins.listToAttrs (map (name: {
|
||||
inherit name;
|
||||
value = {
|
||||
type = "app";
|
||||
program = "${mkMorphUploadSecrets "on" name}";
|
||||
};
|
||||
}) machines);
|
||||
apps = (nixinate.nixinate.${system} self).nixinate // {
|
||||
maui = {
|
||||
type = "app";
|
||||
program = "${mkHomeManagerFlake "maui"}";
|
||||
|
@ -119,9 +109,70 @@
|
|||
|
||||
formatter = treefmt.config.build.wrapper;
|
||||
|
||||
devShells.default =
|
||||
pkgs.mkShell { inputsFrom = [ treefmt.config.build.devShell ]; };
|
||||
}) // (let inherit (import ./sources.nix) overlays;
|
||||
devShells.default = pkgs.mkShell {
|
||||
inputsFrom = [ treefmt.config.build.devShell ];
|
||||
nativeBuildInputs = with pkgs; [ age sops ];
|
||||
};
|
||||
}) // (let
|
||||
overlays = [
|
||||
(import ./pkgs)
|
||||
(self: super: {
|
||||
vimPlugins = super.vimPlugins
|
||||
// (import ./pkgs/vim-plugins.nix self super);
|
||||
})
|
||||
(_: super: {
|
||||
inherit (import nixpkgs-sourcehut { inherit (super) system; })
|
||||
sourcehut;
|
||||
})
|
||||
];
|
||||
machines = {
|
||||
back = { };
|
||||
fort = { };
|
||||
tank.extraModules = [{
|
||||
disabledModules = [ "services/misc/sourcehut" ];
|
||||
imports =
|
||||
[ "${nixpkgs-sourcehut}/nixos/modules/services/misc/sourcehut" ];
|
||||
}];
|
||||
trek.extraModules =
|
||||
[ nixos-hardware.nixosModules.framework-12th-gen-intel ];
|
||||
zero = { };
|
||||
};
|
||||
mkSystem = name:
|
||||
{ extraModules ? [ ], system ? "x86_64-linux" }:
|
||||
nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
modules = [
|
||||
sops-nix.nixosModules.sops
|
||||
simple-nixos-mailserver.nixosModules.mailserver
|
||||
{ nixpkgs = { inherit overlays; }; }
|
||||
home-manager.nixosModules.home-manager
|
||||
{
|
||||
home-manager.useUserPackages = true;
|
||||
home-manager.useGlobalPkgs = true;
|
||||
}
|
||||
# who doesn't love a bit of composability
|
||||
({ config, ... }: {
|
||||
_module.args = {
|
||||
inherit (config.sops) secrets;
|
||||
my = import ./secrets/my.nix;
|
||||
nixinate = {
|
||||
host = name;
|
||||
sshUser = "christoph";
|
||||
buildOn = "local";
|
||||
substituteOnTarget = true;
|
||||
};
|
||||
};
|
||||
|
||||
imports = [ (./machines + "/${name}.nix") ];
|
||||
networking.hostName = name;
|
||||
sops.age = {
|
||||
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
keyFile = "/var/lib/sops-nix/key.txt";
|
||||
generateKey = true;
|
||||
};
|
||||
})
|
||||
] ++ (builtins.attrValues self.nixosModules) ++ extraModules;
|
||||
};
|
||||
in {
|
||||
homeConfigurations.maui = home-manager.lib.homeManagerConfiguration {
|
||||
pkgs = import nixpkgs {
|
||||
|
@ -131,5 +182,8 @@
|
|||
|
||||
modules = [ ./machines/maui.nix ];
|
||||
};
|
||||
|
||||
nixosConfigurations = builtins.mapAttrs mkSystem machines;
|
||||
nixosModules = import ./modules;
|
||||
});
|
||||
}
|
||||
|
|
|
@ -19,16 +19,13 @@ let
|
|||
in {
|
||||
imports = [
|
||||
../secrets/machines/fort.nix
|
||||
../secrets/morph/acme.nix
|
||||
../secrets/morph/matrix.nix
|
||||
../secrets/morph/restic.nix
|
||||
../secrets/morph/wireguard
|
||||
../services/alertmanager.nix
|
||||
../services/conduit.nix
|
||||
../services/fail2ban.nix
|
||||
../services/matrix-hookshot.nix
|
||||
../services/nginx.nix
|
||||
../services/node-exporter.nix
|
||||
../services/restic-client.nix
|
||||
../services/web/c8h4-io.nix
|
||||
../system/virtual-machine.nix
|
||||
];
|
||||
|
@ -73,26 +70,12 @@ in {
|
|||
environment.systemPackages = with pkgs; [ wireguard-tools ];
|
||||
|
||||
networking.hosts = my.homelab.hosts;
|
||||
|
||||
networking.firewall.allowedUDPPorts = with my.wireguard.netdevs; [
|
||||
c8h4.wireguardConfig.ListenPort
|
||||
airlab.wireguardConfig.ListenPort
|
||||
];
|
||||
|
||||
networking.useDHCP = false;
|
||||
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
networks = {
|
||||
"10-wan" = hetznerWanNetwork // {
|
||||
address = [ "128.140.95.112/32" "2a01:4f8:c17:6f57::1/64" ];
|
||||
};
|
||||
"40-wg-c8h4" = my.wireguard.networks.c8h4;
|
||||
"41-wg-airlab" = my.wireguard.networks.airlab;
|
||||
};
|
||||
netdevs = {
|
||||
"40-wg-c8h4" = my.wireguard.netdevs.c8h4;
|
||||
"41-wg-airlab" = my.wireguard.netdevs.airlab;
|
||||
networks."10-wan" = hetznerWanNetwork // {
|
||||
address = [ "128.140.95.112/32" "2a01:4f8:c17:6f57::1/64" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -3,10 +3,6 @@
|
|||
{
|
||||
imports = [
|
||||
../secrets/machines/tank.nix
|
||||
../secrets/morph/acme.nix
|
||||
../secrets/morph/home-assistant.nix
|
||||
../secrets/morph/restic.nix
|
||||
../secrets/morph/sourcehut
|
||||
../services/grafana.nix
|
||||
../services/home-assistant.nix
|
||||
../services/navidrome.nix
|
||||
|
@ -15,9 +11,10 @@
|
|||
../services/paperless.nix
|
||||
../services/postgresql.nix
|
||||
../services/prometheus.nix
|
||||
../services/restic-client.nix
|
||||
../services/sourcehut.nix
|
||||
../services/vaultwarden.nix
|
||||
../services/tt-rss.nix
|
||||
../services/vaultwarden.nix
|
||||
../system/baremetal-server.nix
|
||||
../system/ucode-amd.nix
|
||||
../system/zfs.nix
|
||||
|
@ -85,6 +82,8 @@
|
|||
|
||||
powerManagement.cpuFreqGovernor = "powersave";
|
||||
|
||||
networking.nat.externalInterface = "enp4s0";
|
||||
|
||||
services.dashboard-icons = {
|
||||
enable = true;
|
||||
virtualHost = {
|
||||
|
|
|
@ -1,12 +1,7 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
nixosHardwareCommit = "a6aa8174fa61e55bd7e62d35464d3092aefe0421";
|
||||
nixosHardware = fetchTarball
|
||||
"https://github.com/NixOS/nixos-hardware/archive/${nixosHardwareCommit}.zip";
|
||||
in {
|
||||
{
|
||||
imports = [
|
||||
"${nixosHardware}/framework/12th-gen-intel"
|
||||
../system/bluetooth.nix
|
||||
../system/desktop.nix
|
||||
../system/laptop.nix
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
{
|
||||
imports = [
|
||||
../secrets/machines/zero.nix
|
||||
../system/automation-target.nix
|
||||
../system/desktop.nix
|
||||
../system/ucode-amd.nix
|
||||
|
|
|
@ -1,9 +1,7 @@
|
|||
{
|
||||
imports = [
|
||||
./services/dashboard-icons.nix
|
||||
./services/filebrowser.nix
|
||||
./services/homer.nix
|
||||
./services/matrix-hookshot.nix
|
||||
./services/nextcloud.nix
|
||||
];
|
||||
dashboard-icons = import ./services/dashboard-icons.nix;
|
||||
filebrowser = import ./services/filebrowser.nix;
|
||||
homer = import ./services/homer.nix;
|
||||
matrix-hookshot = import ./services/matrix-hookshot.nix;
|
||||
nextcloud = import ./services/nextcloud.nix;
|
||||
}
|
||||
|
|
|
@ -5,8 +5,8 @@ let
|
|||
|
||||
cfg = config.my.services.nextcloud;
|
||||
|
||||
defineContainer = { name, package, hostName, port, hostAddress, localAddress
|
||||
, adminUser, dataPath, dbName, settings, ... }: {
|
||||
defineContainer = { package, hostName, port, hostAddress, localAddress
|
||||
, adminUser, dataPath, dbName, adminpassFile, secretFile, settings, ... }: {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
|
||||
|
@ -23,16 +23,20 @@ let
|
|||
hostPath = dataPath;
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/secrets".hostPath = "/var/secrets/nextcloud/${name}";
|
||||
};
|
||||
|
||||
extraFlags = [
|
||||
"--load-credential=adminpass:${adminpassFile}"
|
||||
"--load-credential=secretfile:${secretFile}"
|
||||
];
|
||||
|
||||
config = { lib, ... }: {
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
inherit hostName package;
|
||||
autoUpdateApps.enable = true;
|
||||
maxUploadSize = "4G";
|
||||
secretFile = "/secrets/secrets.json";
|
||||
secretFile = "/run/secrets/secretfile";
|
||||
datadir = "/data";
|
||||
caching.redis = true;
|
||||
configureRedis = true;
|
||||
|
@ -48,7 +52,7 @@ let
|
|||
};
|
||||
config = {
|
||||
adminuser = adminUser;
|
||||
adminpassFile = "/secrets/adminpass";
|
||||
adminpassFile = "/run/secrets/adminpass";
|
||||
dbtype = "pgsql";
|
||||
dbuser = dbName;
|
||||
dbname = dbName;
|
||||
|
@ -61,13 +65,18 @@ let
|
|||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.settings."50-nextcloud-secrets"."/run/secrets".d = {
|
||||
user = "nextcloud";
|
||||
group = "nextcloud";
|
||||
mode = "0750";
|
||||
};
|
||||
|
||||
systemd.services.nextcloud-setup = {
|
||||
wantedBy = mkForce [ ];
|
||||
serviceConfig.LoadCredential =
|
||||
[ "adminpass:adminpass" "secretfile:secretfile" ];
|
||||
preStart = ''
|
||||
# wait for postgresql to be reachable
|
||||
while ! ${pkgs.postgresql}/bin/psql -h ${hostAddress} -U ${dbName} -c 'select 1;'; do
|
||||
sleep 1
|
||||
done
|
||||
cp -vf $CREDENTIALS_DIRECTORY/adminpass /run/secrets/
|
||||
cp -vf $CREDENTIALS_DIRECTORY/secretfile /run/secrets/
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -161,6 +170,24 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
adminpassFile = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The full path to a file that contains the admin's password. Must be
|
||||
readable by user `nextcloud`. The password is set only in the initial
|
||||
setup of Nextcloud by the systemd service `nextcloud-setup.service`.
|
||||
'';
|
||||
};
|
||||
|
||||
secretFile = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
Secret options which will be appended to Nextcloud's config.php file (written as JSON, in the same
|
||||
form as the [](#opt-services.nextcloud.extraOptions) option), for example
|
||||
`{"redis":{"password":"secret"}}`.
|
||||
'';
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
type =
|
||||
types.submodule { freeformType = (pkgs.formats.json { }).type; };
|
||||
|
@ -178,7 +205,9 @@ in {
|
|||
description = "Instances of Nextcloud to run as native NixOS containers";
|
||||
};
|
||||
|
||||
config = lib.mkMerge [{
|
||||
config = {
|
||||
boot.kernelModules = [ "veth" ];
|
||||
|
||||
containers = lib.mapAttrs' (name: value:
|
||||
let
|
||||
srvName = "nc-${name}";
|
||||
|
@ -203,5 +232,5 @@ in {
|
|||
(builtins.attrNames cfg.instances);
|
||||
enableIPv6 = true;
|
||||
};
|
||||
}];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -7,4 +7,5 @@ _: super:
|
|||
git-multi-shortlog = super.callPackage ./git-multi-shortlog.nix { };
|
||||
homer = super.callPackage ./homer { };
|
||||
neomutt-export-patches = super.callPackage ./neomutt-export-patches.nix { };
|
||||
sway-background-image = super.callPackage ./sway-background-image { };
|
||||
}
|
||||
|
|
Before Width: | Height: | Size: 4.1 MiB After Width: | Height: | Size: 4.1 MiB |
14
pkgs/sway-background-image/default.nix
Normal file
14
pkgs/sway-background-image/default.nix
Normal file
|
@ -0,0 +1,14 @@
|
|||
{ stdenv }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "sway-background-image";
|
||||
version = "0.1";
|
||||
dontUnpack = true;
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
mkdir -p $out/share
|
||||
cp -v ${./background.jpg} $out/share/background.jpg
|
||||
runHook postInstall
|
||||
'';
|
||||
}
|
1
secrets/.gitattributes
vendored
1
secrets/.gitattributes
vendored
|
@ -1,2 +1,3 @@
|
|||
* filter=git-crypt diff=git-crypt
|
||||
.gitattributes !filter !diff
|
||||
sops/** !filter !diff
|
||||
|
|
Binary file not shown.
Binary file not shown.
BIN
secrets/machines/zero.nix
Normal file
BIN
secrets/machines/zero.nix
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
BIN
secrets/my.nix
BIN
secrets/my.nix
Binary file not shown.
49
secrets/sops/acme.yaml
Normal file
49
secrets/sops/acme.yaml
Normal file
|
@ -0,0 +1,49 @@
|
|||
acme:
|
||||
token: ENC[AES256_GCM,data:AjN5ii6lsk8wWnpZn9EalVv7ixS3NuTKitXoKbaVo20GnnQkpm9xoj/VqZ+MOxEK,iv:qBNo6Dt7Amr4HG3xzzy7MW10OxywoNMJb9kg0TVsUv4=,tag:MhphDVk5vbZVjes+SiM2gQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcEJkTDZEV0o3NXV5cVFm
|
||||
OHd6a1NXNkNGcnZsQXlUTTZwUTZwOWtpL1dBCm5hd0RvVURsc3Z2M2VQa0lUY3lK
|
||||
S3lGU3NRMFp1QVE3OUJpR1J6TkQ2YUEKLS0tIGRlMm5FeGVuaXVIT2JCS1BqQkxO
|
||||
S2tMaGF6cEFyZ0l0T0NBMmp3WTg2eEUKgCLtBCkzTdwvKLPDshIpdetTDuQQ8Zpl
|
||||
kyA+/XaMns9ktzSMzkpRgGfjV1Ku9EhDFZCKppJZftiffNItyCOQew==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdTQvSDcxRXZJMXFSTVUx
|
||||
akRxRFREME0rTHhoSFcwYkl3SFdiMXZjSW5VCkVWWklRckwrNExWSjJYNXRPWm9G
|
||||
RjFoQ0F2QTNDQXpOckN5bVRMWjFCcVEKLS0tIG1EelhsRlVvWDJqaTNFamNaOEQy
|
||||
T0pPdVE1SEU2TVd6Wi9IbzRBUXA4WXMKe5jdQPe13zhceh2xO9h9ergfaXzpuuSo
|
||||
iIw8luW2olJ9lxnYpws46zTQczVFx2TG3wcExS+vKsDrf4o7R/133w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQ1pVYTl3bkR6eGZDZGJm
|
||||
ODJFQnAvS1Zyd2JWMEVHVGtBaDh0cTRnLzBrCmpJY2FhNFBSNElGZGxWZ1FFY0FX
|
||||
SjJ3TmQ0dFNUMThWa3pOTmR3Z2FiVWcKLS0tIGZNckcxRUdObWNVRDF6cFFHSnhv
|
||||
WWNLMjhjNjVPbXV3V2k4NUJBUFRiazAKXPjQFiFKXkiDSgFE0UiUW/ULZQSW4uyZ
|
||||
X7qK4l7mWrvqStsK8Zv/wIUd9jkJpOh73X/jsBRDQUZF0V18lnDn3Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcDNWa0tZenFDZ1pVMGxO
|
||||
Qm9IV0ZnL1BGVFlDOTl4SzBtN0RaUHJ5S3lNCkN6OU1jSU9Wd2czNWRXOHUzYVNt
|
||||
NXJ3S3pCbWZEN05zcWhXbjZpVnprWmsKLS0tIHdWdnE5ZlRoRjhNakZUdElSTkZp
|
||||
dFVvTjJqV0JFbUNWQ3NOOTZhMTlJcjQKIi6lDhbpM/ndyB7RsAN3q5PkdHL7RnF0
|
||||
u+bGTffWfiplvO+rASMaGoahez+VsEDb5MM00SoGzTMcYkrR2kruYw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-30T21:41:49Z"
|
||||
mac: ENC[AES256_GCM,data:ffmmRSAXvvsCK8WhmhclUz7eIVFM1Aw8eidvmSDofe+6H8PJvqJB4CQUphqQTDgfFKK9LHQzvU1vRZWtg6CqXy/SqLLUUcN3PfxZ7l895YDDi/9p7HJPUloxw/G8ovIJAAeHgJh2nQHHAbKcVAAILmB6UssCmTLeU9MzWcMTJmY=,iv:+jtQIqL+Mf88Akjkj09xvpk9cZ4GFl6w/Vx8gR3Gk8Y=,tag:qBc0i/vrLSc7EbErTLCz7Q==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
40
secrets/sops/alertmanager.yaml
Normal file
40
secrets/sops/alertmanager.yaml
Normal file
|
@ -0,0 +1,40 @@
|
|||
alertmanager:
|
||||
env: ENC[AES256_GCM,data:Fr/L5I8t83pHPHdP3eXGnvFfl7C/N2Iw64Zpamr3Z3gLevsoD8pSSbWDqb1CuhATrYY5mR3M6vpyNh+UJPHqGbgMHiW6LZWClPvesJEU3xs4clo+YM+pYwG5oSpHiuN/raXQUpaQuOmeHK3OKLELJpSkY90FIiBvd9si43xCP4FYAdhCprxWJQtINSRGCrGmzvlNScCkXyhH/QOQsDOIWFAXn2+yGH85zOiBQEzmluclI2oWpZOUbHgk4MdMBu1tHRA7g/UF6AoXrTOyqgzo/w==,iv:yvHlQAOSCMtBBXHmqfEJu4//gTZp+9du9EWodheITqQ=,tag:T1vLhmTmCINGBvh1bBA5ig==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QTZNUW00U0xpM3dmR0RS
|
||||
QXY2TGQ5MUFORHNwVWxsNjB0UjBZQmZkUlZZCnZIQzBFYXBESjNMYys0TXRMNUUz
|
||||
VUVHZXFyNFhTdG1ZaWduRkp6ekVqbE0KLS0tIGVKTlBHYTVEWXFkWlR3MFdMajNj
|
||||
bEs5V0F4Z2JpYTFTallaeGJGcGg5K2sKl7hxy3Tr6rkoe1MJm7VMBur9NeOwPHXo
|
||||
hxGURTZdf9M7wjueXw5oYRm0fuvj1Iu40JfJ3XqhnqATohTnsHwbmA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlTzJHWmMxNVlLR0d5UnB1
|
||||
ZUdjN1lWQk1kOTN5TjczMVdjZDgwNVlUZjFnCnlwNTQ5YjYrOU5HRXlmbWdWeVox
|
||||
MGZJa2RNTDBVQkFJTmFsUXhnZDBhYmcKLS0tIE9Ld2VmMkxFK2dabVQycDAzOXVJ
|
||||
S3lsczU5eWtMSEJDdVMrOHFOd3N6UFEKskBDsioCfKT4qjQ1jOHYniE9I5YxzTRF
|
||||
Hb/KoReUEW6DHsiOZKRcJt9KdE0iTguWiFjjQqIlDWgTfeDsyf8ySg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWlpmOUVkWU5WL0drMXZm
|
||||
NEEwVkxDOHl1L0wyQkljSUcvRnRac1NCbXlnCnp1bzR3RllEYnprMkU5WmFBRlpK
|
||||
QnhHZThheXVnSjk0Nlg4VU9zREpxQU0KLS0tIEcxVTZ5NjFzVE14YUJRQThzeU5w
|
||||
cjdQVWM0bDEwb09XR2ZiTzRiN21wQkkKxDEhpgyYLs2HOnmNdumNpFVTuLuXnHey
|
||||
c32B0ENhJgL7XNV3V/lHa7leQqA42e/R5u6v68OEelvTPqtxNPFktQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-06T22:12:26Z"
|
||||
mac: ENC[AES256_GCM,data:ntbiXYuquh5vQxiv3A9wspLdXY+Wp3yCSkDtdIj4SMKlh84uyQ+oAfWo2Y0TqW9GVemzzWJs3JeEs7oMZXXP8PGRGiHShfBQ+DbIF3lsKVG6rZbaKkEnSPnDqdm2PdbuzNvr3f3sOOYVutmFxO3HHFNgu4NdFw6EQqubmS7qZxs=,iv:a42Tm/pVZ8ffJHRC6iMMkZEmKn/6Vkr8sp8sQQgyx24=,tag:jVHHgsBb9OHBee9nhoLRtw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
40
secrets/sops/fort.yaml
Normal file
40
secrets/sops/fort.yaml
Normal file
|
@ -0,0 +1,40 @@
|
|||
restic:
|
||||
repo-password: ENC[AES256_GCM,data:Gdz45xcUbtoKsDBi+2U4ogi32zFMvq2CNuvSotOYIFg6wYFOQjt9MDdY4w2Mo7L0Cbhem8YgBE3qpJS9yaWozjfFzWT8ya3SqMDksgju6KwSoiS5WvWdsAXsgSu/jIqvLhWTfbt7SXmDQ8Dd4d/qPNKmtphnA1Jc0ttp3+ieE8U=,iv:7MHy52gC0xXoUBAj7ZB/yoOUS8EmPW1SPjTTtkcnWvQ=,tag:LZH/IElQ0ovP/ettxhP5Gw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzc0orOGppOFpKZ3hJbnRS
|
||||
UFJ2ZzBjNnNZVXp4SENGd0F5elJONkNrbmhJCnk3dDN5Ritjc2NiZis2SGNkbGVC
|
||||
aHJPT3R2ZytDQ2JlOUtJcUlEVjkvN0kKLS0tIFNuanJYc2JLVlBmNU9rT3l1TWhN
|
||||
RVRVYnRVS1lCeWRsdy9nYUtoUmk0RFEK+tSoWfpyeYW4exEz1/t2mgd/kcIrxZYH
|
||||
kygnj220NqLJcEHwnrUMjCvvPSlmDkTGCKZv0uBTmwg4zJpnORTRfg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwM1JNSkY4YkdtZUkzNTFG
|
||||
L2FUQXk0RGNiVlBocGN1Qzl1bHB1allVWmdVCnMvdUpsekFTa09yWkNVVWlRazZI
|
||||
YU0vV0FUVWpReVhBVUdvOFJ6OWgrUGMKLS0tIGIzTFJHV3lwaE9EVXFqdzZaR2VL
|
||||
U2s1emNXZC8vSmpjaTJoNU92MEtsYWsKWAfGDwHnT7ly5kr4N1ZzK4l1UvYExcbT
|
||||
YgDn0GH0nMHARjYnIB0ZeqleZCC9Q1S00t4ly5SeLeCcrawgy/6OAg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZDJocG9PaDlCcjNHaVJT
|
||||
MmF6RFNZUFVYeG5RRm8zQVdQZWsyRHVyZVQwCk9ydEJEdEtYSWhHNTI3MDhDWjJK
|
||||
dTFEa0E1Mjd2QUYzK01WMDBnVWpnSFEKLS0tICtuTG9ZYmp3Mk91eXN1VEgvQVFZ
|
||||
Z3pDUlZwcDNDdXN0MURnUEdLY3VZTkEKa/D6UQfoBJqEb/xQHT4f14kkahjAKBXP
|
||||
O9CtZPQ0TzfIFKPA2doXTD+dhxYAzgipsYfe7zwDn/kYEoz1uJ9hIA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-03T12:52:36Z"
|
||||
mac: ENC[AES256_GCM,data:woldat8qOV5j48rCLMp6cc1d9BIcQgsh+QCN5SkBSsI+gu5MSVhwix3zQhCDrqNURwyc0e6cEMQAJQcTjIOU/ZAYZhEp+CwuDN3X8cwP0Rs8i2cH1dfWMi/r1obpodihm2nLUExX+6saY2afJw6sQLlt4DkqdUwq0f/9h4pBzbQ=,iv:dbsHPc5ZNyxXDuqVf6sBiPvEqOn/k0DvyFHiZYzcHR0=,tag:s/7b3GU/nZnhhSQjSaJLGg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
40
secrets/sops/grafana.yaml
Normal file
40
secrets/sops/grafana.yaml
Normal file
|
@ -0,0 +1,40 @@
|
|||
grafana:
|
||||
secret-key: ENC[AES256_GCM,data:Hvc/Svt+22kjVQ5WeHj0ubFQBSivZBk75QWZa4jdYDK5vcH/CZsmZXLbaEIhY6aB+z8Mp0g3e9/WI1k9AIpIE5bZ89sPCpfxnfSdX8lF8uqRCOWRQ0Z6AUk/FXjzmZhWEotcHKqHE3dY3HZ0/VCLEsXNhNub9YCdm7FgLjEI+/I=,iv:E0yPJpPWSr6C7dVU2ZgY2gxna0Zt1BzX1CsHB86KULg=,tag:HZvimLJqijpk0cr6+zWNAg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YUxTanZxTTNYQ3FQZUZ3
|
||||
bFB3S01xWGZrQVVlQncwelNNbjV6ZWtOWmdjClJiSWR2TXVTYkNzMzJPdDUxanpG
|
||||
MlZYY25ZTE54M1JYUTU1eHBYSEZkNzgKLS0tIEpUbjhHblBYS1cwWEpoTVo5SFN2
|
||||
UTRLamVqZmhOd3hVZFlnLzZpOTdVYVEKaOkEAvGyBdsskjYwROeFzZb9y9csJTYg
|
||||
I0foVxkx6z9pgsBCXLpK1Ij5W1w9JSWo7KZhEQP+aX3980TryWdsnQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpYXpUaW5iSDRaNVdXV3hM
|
||||
N1JaWmlvMmpQQ1diLzE2NXc2TTdiU0ZDalR3ClFMWnM1dVJHTmVReE1uc3dXeHVs
|
||||
VndhN1FEcVZQKzExM1pqQjY0a1ZaanMKLS0tIDUrZUZmTktkU1NqUmVKOTA4bU9B
|
||||
SDdBNlF0R1UrVlk2SElmU3RFbjBLanMKyzxYnV/MzZDV8b9pNwQ7p2F08pLkYB0Q
|
||||
NXykeRTWpjTVnU/ZPI17aVaRT5S2FZqJ6BQhs/H7DPcsq/rncRmeuw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWNkRyMDNYdmZTM1JqT2FD
|
||||
RkNFc0N5WnhreFRQSDA2VTQyMmpFMEZhSFQ4CmUvLzE4dlBoVTZRWE1NajFpcll4
|
||||
YUZRaXNmMHp5RUdNMkJPbFIvV1N4TVkKLS0tIFZjVUt2V0RkVlNzRGIvRTU3VXVR
|
||||
dU5pN3VINExuamttNVQ3OUhMN1dleFEKA4/43ktlCmreJqBqbiFc/uzUppZoaUSm
|
||||
1Ywifo2FCsH+7kF1DxFlv36o3kNVkbkAse+Upiep+gqayJFZRgN32A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-03T13:18:57Z"
|
||||
mac: ENC[AES256_GCM,data:4MR71js5gK84Ta/UQhElkBZOuIKl8dQkbUqgE8+Ygi+W74vYnHEcNt1yk9usQJmn5qKa+nptWjTV2nHt6yn0HPCdFPAKGuL4d80VZozFbY181oGVYbuK45ZmTLAiP3ZVfztWp4IYHnoTBBh6EjOxrbKnCXN6Shratt8/Gq7PxBc=,iv:OmmyA5x0zEeKJpfi3IxAorPpw2jatT1JECU/kSOcEUI=,tag:xYQG+5DLtnbq3MWNNgpkuw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
43
secrets/sops/home-assistant.yaml
Normal file
43
secrets/sops/home-assistant.yaml
Normal file
|
@ -0,0 +1,43 @@
|
|||
home-assistant:
|
||||
automation-sshkey: ENC[AES256_GCM,data:yvVdExvti+4oKF1Ptb5OoMsz0e1ifY7k9Fts/cp6ygE3z8NjYY6HKOvgZe2NkXQHaNbifcbZTQ3FbgBi2dG19qpkri8hWmpFvdWEf69GQVl+OwhOmRm5hXCiNRZDSbqoHVUQve2J74C4Xzzyh3O5jkX34myhC2H4ua3dvUXsngn2WOUYXzaCgqvqWZdUas+MU1amX7CW8ebgOZJH7we0Hc6/QDjHPeD02NDlDYf8HeycEOWemuMZj27kii58dQQsdGXkzlTPvaE0kMOYyDaG5DWEwVNnpE53voeY/Jp8J699Q5gS1XKihOU2j7NN1EwkPA6r/v3UL1R7rpzdok11IEJbFQB7gxZtzrwZz9+Vmpw3FzmAflaoeYMl3t31plF8o/A+ug5BSBW/VsSeOs4LtmaV4J+r7GsAcvDWkPd4VFuL7XvKDfGzpqb8tOK6dyzKdDXxhYiR8m72U3my3L6KHznosKLfyivkI5+SoGz6u36fa7Ya8euLRyghAbtAx+oW1CvTOf6AkNhgUiIl2OZpglmG2Mpa255WV0i03UYYlrmVLxA=,iv:h2MUNcqxZaV4t1q3TzMt8NHUgp85YllsRRtiQt9n3gA=,tag:T/aPmhG8kHvc4It4KkVF/w==,type:str]
|
||||
mosquitto:
|
||||
home-assistant-password: ENC[AES256_GCM,data:En92egO+/kPWb9V8M0cwsFvwcl2mKunNM+g7qsUx9MzXLbQyiAqHaZDGNv/3vZ96tBQfWXt/xPx3LECQ0OYuAUS5nf47wpmiQ3vtJRpJ6dqZ4E3FjLmGg6iPx7M8xlzNtoO6uOT+pkWVOm7qmWTxkg==,iv:38y0Y0Znt4zAF8AuYBn3aHvE74ezB0fZKLbN7zBk8mk=,tag:33L7DWP5Ec1U9nFAVehYbg==,type:str]
|
||||
tasmota-password: ENC[AES256_GCM,data:oUUgz09Pn+ts+RsKO+axdNlvtZ6r5pDErsZq8GCtyXzuoeQQRFiOqgbv/mC4S1mKQfUOM3ZEjv+VdkqueUDAT/LpbmStiTsXtttU7JrLx+oU++ZbwLK4Nsl5GkvsUnz33c1rpqGtoB3AALXqg8qSqw==,iv:tHPM9u5ckDiFIk1HxeNxvfl/GqTJRYxoQaVc4svIGFk=,tag:Ez8dBL3RL1ygLPHb45VfUA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycEc3YnpvK3ZhanJmUk9y
|
||||
SitEUklMT1ZKRHh4aE5JWFh3bTl5TE5tWGlvCi9EWS95ZjF4RzM4eWNHU1NiUUlx
|
||||
dFRzVkFuNjh2Q3NpOFQvR3pQSzBXSU0KLS0tIEw0RDlxZ2JlWGZ1UzlGODBmS3NJ
|
||||
bWh5SU1iM1JGeXVMT1QrTDhvcHpLeDgKzJbbv7e4b/Em/be7469UIPw0pmm0KskS
|
||||
LTsXUitjzoaa6lQRZCjf2/mP4JOl3BGNxeqWiMfym/hjow2Oam42HA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bktyQ05OOUVLM25RVTlW
|
||||
UnRJS29PaytTaTRHZUluMzNraHdleFlSMFhjClVId0VIcXVJZVYyWi9ONjIybC9k
|
||||
eG1uMGw4SzQvZUhEQ0pQRnh3LytHWFUKLS0tIEtxYmw2TGpuM1UzMHB3QnYzV3da
|
||||
Zlc3b1Rxa0ZaYnNMWTdRQlZ4WWZjUkkKp2D67jhQgVbCRYLEQzoz8jA8n69CspOr
|
||||
8jjvPNJE1eXLJQG179E70ZDccF/yG5mHYSoOshLwtGM4xrURxf0jBw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwN3A5Uy9rYkxiRlhsdkFL
|
||||
RXBta0Rja3NGSEkzVTBCcTlINmdlejlmN2pZCnBuS1RZb3dRQTlLOHVpc2RNOG1T
|
||||
ZHpGd0Uvd1lZZU5lUEMvVHVFb0JvNTgKLS0tIDlhNjAvSHNyZ1dWc2U5VlpqTmNW
|
||||
ZVBwcHZWK3BRY2VlSVB2YVVBaFZxNFkKkn2H/I6sKCpcgmoiqG+0qtrA2PTyEuRW
|
||||
N4Oxr+fcVq4+leme6d38yB/Eryjbd+trrnMxLR8AEi3rIiDx+gJWcg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-08T15:50:28Z"
|
||||
mac: ENC[AES256_GCM,data:8fpPTyxewb0awHMeUh/qjFxzWRyhDRwULWJK4RphVfqFKIzPSiCwKE6qhgYFi69J+BLXFnIteChP2KxBASzZGrtOD0jDGHsO/c4UTtl3BWAwWVRGZ8ZFBbhYCICGDULyHygtT4vcgS/Umft6wv0eOWTCS6W4HSJsC2TfhgnVkzU=,iv:PKVTbjvmkZ/nY0Duy7mW8BSgHNExml0sKcL2JPoRnEI=,tag:kkTSB12eGIVPwJrYgUDvVw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
41
secrets/sops/matrix-hookshot.yaml
Normal file
41
secrets/sops/matrix-hookshot.yaml
Normal file
|
@ -0,0 +1,41 @@
|
|||
matrix-hookshot:
|
||||
env: ENC[AES256_GCM,data:vqm+Flo+y7XROiB51SordqeXh9wpWrTZ/80MBOCOGmdGbTVMvH0K06n0sr4AscXn9Gw+6L91B35kl1rIJiDUKriP9mA3lYUS2j4tKsWGESngeKeP0pngzPf3V27a+U4v93ReDfq/kUfdBNMLiNiWSXtKapVdz1IB4WNxTTsnYtfRi/dGndch28I0G2o2VLf2ghKungvW33U=,iv:9bBl7kyz7U3GtIeqUk22SDkxe9MhEc6XM5dCSUvUwjE=,tag:aHx5W79v/YzHmIBOQeHWNg==,type:str]
|
||||
passfile: ENC[AES256_GCM,data:MZ9aVmDaEq8rbPGsPkrZJA0rOUL94+Wl7I4P58Ls1/qZljBRpwvTQg+kmyIBMBwshxvgLd0bVUuXuMEhulvvTEBugdJasNmnqsPYGJP9IXHkGCG5v4N8qpPQOV9Z+N9wqpjosEYiXfgNBqSe+uqIuf0yeRdLYvAlkeza/Bw28aUWDsdOXujsx1rzapX1dV7FFU45hZ1luOUIq/e7DteXlPDw/51Q443LvuYDC67GJaMfz/q+cfS2O26v5wekZLOQUk/8HRJch97c0UobGGZ5mrxE3y3fQCRG6mSnpqBQdw/u7+H2PZ7/AgF0YcWzh5putLzHM+zE7sFd9cwKWS5GrUUEmCZ6CLwEED3UuhAHlk05zzu4gMPK8D+/yNdKznBM+owmGpIEyj/uftaCj1Zv6jqCjtEIqQH8PpggBEv9Odavke4CpqT64L/XxAjBFb+lBnFOAs+guDmi7xhn3eW8ixSxjqDq4VZG0pwHj55rQIKADsRcIl6qpm2hbf6zM/IMSl2pbNphWErvs6XtcGu1eCgvm74DbSOauyzbQusKJyXATQQz2woqeFR6+nAOylSghjs5NZEmz0KDFN/VtBv7qtG8zVnqQAJ+kJTIuXhvV17HCfiQL1oaQX/ctSQHRrK7vBrgzDjHnuQtlxscfKghERDg1cMRA1AKQEnN1JXjCJI0npJqoXBTYdDlORkIy8SM7i1bZq4vDbvU3/cBrE39qAAcDOvZFk/FnP+SVtxL83EZyv2c5lS/ityX/7cjPkSRwD3LnAmwB4+BSQQo9iGE6JbVqZ8ehwaiaSDYl8wSDNl1LBJUsAvWi4zrRPMs+sxf9RGhHHBZdWc88bnSuwraxW2SzZ5JJE5U4upvBowngeQMYGBsPHNQA7Zcifvsm+0StMYHl4dqF36BVrz8NTgkwrQhg179MnZomULRsfgck1J1D+HqddDImTlzhSd7+VHp/460HR/vC54D6+vE86f2WWCVCE8zvXxB00n31jgFnKSEN1HGaYYhyeUFJQQHixGzKyntDWNaVOqniP9TAauFQxkO9YeaBF5foe0MUSJw+PGuxGo/9Y4GVoihYcXdwYZOS+qna2AbZ/hLQjDspJHPVJ5fFLiUGpWS/umPbPrZyJCSozQYYQGmBJ7MVvg2US5TQrHxNGpzgl8MMkWSF1miVSY4fQVJ7l4iT+OzmcMkqbDf+aV9S8hJHOTrcK++hJqS2gYPrCkdgQhPye8W08NE6nxb05UXI+p/8eN4gNBdGvZZztXpjLyZ8/53Sdd+b3V7LRDmSSkAjibhD98XjBxIlgRW6qa3G4UAHSrMu3EGXl65ZNe0pn0mI2f90LS6LrD7mmIX/kiXXUtgloieh1QAIDrOK6reJs3pT8kr2UCMQEOpAZ+gTuF/XK52muZYyGFu1g7mzVat1uSX7vDPWjJK5cTmNWtdzjxg3qqtZO9B9M1OT2fPnqY8xm5F24yqIa4FAJXBnJ5HkLTlW4wn0iQ87EJl47GzUU4QVXmo1pyocqHlYQAKkr6JGToqu7NkddJoBWcuFBdQJY0qnidL47K3lhraqhfVEf5F2m806IvAT/hab4ZRqmNFNYltBgzVAKhBxrloV+89OFJJp2aIMcLiYKZWn8nOAr1TZYpyodFbcsll4pSzZVvjkaKTnrrs6w/geRCTzMrJSLNAOpQYukWPZWGiKSVyeggy+PAcjHcOlQJWB85Xxm6Zdr/p+NtzSwXZhj6v3RatEtyir8SHELLhEze7WTAeXgaD4pnIDMmDXMQgN7jHHJ/J1wndqFotHPDXvWjF6XjLcEjDbqL/Te6PElq2JDmZM8S55f61sGNl3YIuXZoccQ4xxQpC/tewEbgfUVvt1mAdhPbsLx3h+QiS+9ERIQixPTZudh2N1kfoSmL/3+qKMteMSRLan1mSHGHgFTfGBqJu6hRYnFq060GCOg8HBFDNzOJjbpRRo7y/kywx1VuJ8GvuQaiFUORRVUyD7c9fhs0VywZlGk9Lu9YGbCUxH3Z0Pq0tf6GvW8yc83JLjJbCotfNCPAx67iGDbAHyX8RhepG0NnDQxV0xw+k7fqbN7edY08MRRZgZFjQoGGM9jshGuQZGXClGgDk0+uWSJ8uoR/tVALB2mkaskOUll92qDd7Oi0+KJOoFx7jQ1iriPIaZm/QQtHGlVMOdNecWYDycfadQbCWgKa9YEBe7o1qDAkqYP4HJGjsOMvQBJUqLjjqz/7p5JrW12pO+Nysx2AfKCE79OG8u2zEO+yFynWPhdgjepG6p/5S9UgV0ZEZyNYznazTsiIX0h5N2Wymc1VNGcmGrDjWvHqNqP1rrEkm+mbihd7unCqPyVPudaYONA3rN5biEOV8BUPMZMwQCQ6xLBU0yY4fpNCdI+xcAvyX2SjeZsbPgKGeuHCKGUJ63+gxKzDSVYyAPEUz8OSJ3LOHCi7T3m3lqaSt0zRHx6oRiRfRF+jpw/4uqT8TMax3LlaNmS72b70JK+zzjAsKUwrov3QVPa5TKb58fxZDow6NkIVaknf0cbYdNHmNgup+J9ByA8YRUq8RmMjqqHTi1SW0WE+/aI1/gl9bT+5vlRPMXkvwJwjHPSwYr8dPl8TajY4zh6x+EqUeoOyVid3Nxqkp7ttG18JKMCN5jUjjiabp5euYiDZTFU/F5FX/HKZpgBjSaPKsmnW7d2J85dkaf9G4y5EhOiz2Md8ksyNZBsPTNaeJihKRmB1Bz7PqFWziaYKEzao7qe98SNbtPUPBedOaAwB7HH86vOuIrAc7NtyVThhsNfcXybybApRNy4LqrEyTxkDw/oXjWfnvsnqivcqlwfRynjoQyAiiRVarNLFYPAhvvfenO/K0Pyt4p7LZWcCzxTyZvCSZkbaJiQj8fy1bzSK/jqsSNcW91xG0I4N/LdWTjC753SsYnUon8CazAn/+UQHwWHUdWsiZmxKdrJ2FbHmU2p/yQ8u8QWkpk/6SIpsdDJ92vxgYwXGOc06JwvKUgXsciyOtVDclovkqz8zjyIUQWLG8D2OVsS4Qvscf5tt1iU2+e6DX0idNeSKxY9ej/MohXz4laffrshNx5ZNurVNlbZH0O3KTgvOzntoFAPvsMaPtFfZTpQmK1asC9nihaIFXplSaPcpTIaDvmqjB1/yrb6ARjGAfWiF5XU2crXl8eiHlzytkbntquCymhgBOOQc7vAYfn1itMYSXnV5kOWByj3s33/hQv14VIqc8bJigIapSqfeShTd3gltTc8KwnmixjMU9N/pRRkXDkF8+zAoWsyvoNUmz53on2Dhnrw1FFD5Obh1rwjD8LVSwYRIy1NdkpGLXgUS4fX5rZMX9qUKiQx0D8+vaQAXgv7R/oHtzrhvx1FHXe6KhKjs5nPDGhL+qADac4inemUNMm1XRYV1HNmoWrDmaLCwWIeIe8KLBmvFr+NbvBY88CczxN7EhetR7Hq1fzRC2fa+yxVlnnYJSLjKK5MVu3GVrNct4uLXhh24+Pos9LQx16QG1HSIfeE4tCKPgNJRgQCB1p0tRK4EkSk5rwJH9ZGomEibUrEzKcj26xtqkwLCVOAHKaucDwVhDT35l1Vr1BbqlLctD1XSb5WzPM53K08e24yo96dgvWbgJP+hgX8guhOHKct0/xu6O1WzpTXTTVKd3ooi/KXqEGz6boGpcSrE6/uvKYqinXNozLvBa+8AoC7gI+kX37xBWsV9HkUZ9aYetdPdJQHArgbbW3zDOMMJls0XH0cYd1hEplB3mkXgWyH6z6OHG1tQ9z8pUpS9nx21r4NwmOMInlcuLFC9Ua8LzPFcinJ4FZCt7yKBOMKUeeE4CG4JzT0XwBOJz3bIvPGQFk8f0ur1DujLMSWXLdNZiyOxw2Lf0NvFn3oyoHPplxYjhQ5m/KZ4eE7K0KcSiY8TlxiV+a+D9Lo077mjIppd8dfEhY1ANXYet72fnNIfb5La4lfa6hUHNFQzlCisPbD3B5aBDy/o4UyvudDgagntoqyM5BoNEZgW48KHrj3PE+UmpKbh81CdomUkHl9jTaOQcfXIXCVhoe/qaFPGPz5+7M2o50ejF36c97NM7IVuLwsTT6kOv4VOXI0STC4bnH/NUyreLrMdIbXHWYlYV/YcOlycvs3J+Sa2lxR65GIhK402bsALCuU1wZwVvmlRVeYI7ykm0nq4/5cNw6LkFja26G/gy7GFr56WhqL+udKc8lnLA/mjdH4TcgJvgea8xsamQrxJlzAkQDjvnpdwHfj1hjeY7JRyRf7sFedfT/U1NBeWbYUoSppz9+veON/MsK73jHe/5oX+kBHblnfxWTg5Qdy7gJBONslv1sKl9os5RfchoUDAldmlQADgpigOUCiKJellLhA==,iv:hWTkuVCPiSO6aclZM1cU2PotQBjaO8Uq3O0XNnGDm6o=,tag:k0oCxolcwNA+GtJfaBZVBw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0US9hL0RMK0hSZmxHMCtn
|
||||
V01TcnJTOTZJODYycm84ODZIM1ZIQU9EWVZJCkh1aFFNN0ZKclJid1AyK1QxR21a
|
||||
ZmZRRGxzZk9UVitCeU1wN29yeTZHSUEKLS0tIGNkL1dFN2oyaHBKcmJvWjBkbGZ6
|
||||
Z0FyUjBPZGNjdWx6STBQa2lnUGtzNlUKYRiugiqHyqS4/5Leji9044a6FXy0R7ZM
|
||||
n+uscxe/OnFcoasx4TFAOUCwa1s6fvtq/SOJTxL2New+8BgLV9nxCA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5RUttWTlJN0pwMWFSNWVX
|
||||
TnZiSHFmUnh3WXZNUGRlOHhzelFneTQrY1MwClJyalhaci9hU0J4V05YMnB3VGY2
|
||||
WFdqK3VIQzh1aVZWQ1djRVJGMC9mRWsKLS0tIEpYVFREMVEwTzFFOFBPNit6ck0w
|
||||
cGh6eGtPZGpCN1ZMZ3F4KzZmNFluQm8KYfyCDrTJy5T8fNpLg4cyPJlE0AOV0OUu
|
||||
l0ACXuq7WzQnM9svHjijYkKWeYvdAPF8CBRA57s00aCd2r9kOi1Szg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZ1l2MnVETUN0WGwyMkN1
|
||||
SWhreFhMSnIyUnJReWhxQkYvSlNqVFdSd0NrCmp5U1Q3ckZVM05pbm8wcHBqY0xZ
|
||||
Y3ZxaE5uZXhHWHRmNWlKdG5tcmM0S00KLS0tIEVCN0x0SkV5VS9ZWWt1VE5iNXBN
|
||||
VHh4K1JhOGROOG1oM3ZnR3VoTkoxNmMKHAJQuIImN5NLRpzgL82ZH+wF02XJQmXH
|
||||
dPUp0aYr0vSd/PGxAyDpsMPt64NXPDqKQ9n1zrPV8Jd3+FsIDhwnXQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-30T21:40:56Z"
|
||||
mac: ENC[AES256_GCM,data:6weRfuKB5HJo06VSfFEDh8/YPwZejJlcK5BnGCYFOr2V7JmnpcjnWiEps1axkzzdiUq3gkdwu51PO1/jiJs/mCLFNrUq/KjqpYupoCYosF3p9ZDZc8LPteO1vj77tqMO6dcrNd51wYK896v2E2xT8ePRUDtQ7bO13fAdaN8f9pg=,iv:vlNvvlckY+i9+VlyTv2ZqO4tAujr9qsC7paWA7BGT4A=,tag:VIuvWvnnPmi4df/QliTn+Q==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
40
secrets/sops/navidrome.yaml
Normal file
40
secrets/sops/navidrome.yaml
Normal file
|
@ -0,0 +1,40 @@
|
|||
navidrome:
|
||||
env: ENC[AES256_GCM,data:+4uLJIdX/JPTjset854P1+lrbgLi0WydExsFwLs3B13DICDcgRie/PF8z0BxXXLh0aSWfq9pAMpvXEpJBTmRu6iK8eqsUbZO21bOy0x9zSYBQweN2FMsBvV4GmJwS8ko/fhKGJ+EevGZDJE6muSX0094vGR/l0X51cUYa5fusxcbk+HIepOXOkF1ucUFNGDEgO3ruwOZiCmU9Kr4ihAlUe6/qQmfJLiAVjFtpZNLslkq6epe8A+qOtqHji2qZwL71plaV3lvdp1TEGLgvoHjkr/yP1tVpEp+lIE=,iv:z69DLHfWAinJEJ8sUusmqGxEaUeZx3iSngYcA0j+Snk=,tag:bDR5tT1Q0iwfYRKO8+DI6A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYU5XR2U1THZWMWZ1Lys2
|
||||
N25mUkxDSnlQd1Q3clFhdGtPaW9iTW9yWGdBCmN4S1VVS3llL1ZlSDFqUGNXWlBo
|
||||
bkxCaGxCZGQ3VWV2eU1LcTFNSTA1S28KLS0tIDdZSEhFbTZ5cnpwaGdJRFd4Y2c3
|
||||
eUlmaHRlMGJCZk8wR0lyenl0NENBU2sKah3v9tYW5ZK0AaM5qP0tH50MjsgaEV4G
|
||||
D9b0Kn7mTT3QiO8RxlS/S0KgGQDZsraK+pY5x+568NLBIAF2aUZ6GA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3d1FOK3FSckFITVZwaUpj
|
||||
ZWVjdkF1TUhsQ0U1MjNiTEFqdFVLUzQxU2xjCnZHZzUzU3dEalJxUlVFelNuK0tM
|
||||
UWZhMHEwZ21oc3Z6T1BZcVlpNTRTZEUKLS0tIGdDajRlVGptcFcyY0lWVXpKMXJk
|
||||
SUNOWHNlNDNqZ3RwYTJaWWYzTnBRY0UKVpvec0GUgSXRfPzZBRySsRxoVe3DEHEN
|
||||
99bUlaTtHYWzWpU0hXkvjCe5Z7eQwqwor9/CJaeZIdt8PJ9nAAeRmQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBub2dTc1RReUFTYU9NMFJn
|
||||
bVgvUVBta21BMVNQRnN1SU8xbXMwZEcvV2kwCnYzL2xWcUc5TmZGN3k4NTVramZV
|
||||
bU1hU0pjNm1ndFBQbm5LcTE1N2NDR1EKLS0tIGdRb3o5dVEvNXB4dXdiVllIRU5G
|
||||
cWlRUkVkSFpRY2NyOTI3YlpnTEVSc3MKkUZKvhBErMZOhukmNarYCTqIoBgYP8i+
|
||||
bGaVfqOR6zCiWncN5j327BvM3Z+0wPWDbT6PUOwsRddzigRwB6E0Tg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-03T13:22:57Z"
|
||||
mac: ENC[AES256_GCM,data:L2lWeSVK7wsvrLirgEvEl7A3a2+N95N4GzjTl0joE0AWQ/4V/QgPLmo+teg/oucgpitWTIhCPkfa6P2+2vVMwIdk1mhKTorhT1D2n8TjkBN4rpJ8SaxgUG4/awS89YGoQcy2HCWssV+16GOoo7veJg8TLfMGIRGKuRYjG+Y/d/o=,iv:icoLwQgjLSGtZ0M7eyXMqwQl1YBpFuW+KUwEImI8qYI=,tag:ecfpXcAqA9/JH0ECNsIJLQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
50
secrets/sops/restic.yaml
Normal file
50
secrets/sops/restic.yaml
Normal file
|
@ -0,0 +1,50 @@
|
|||
restic:
|
||||
rest-env: ENC[AES256_GCM,data:HPVJE/y4Jxh4ibfJwdqXqWXpyDIu0FJTf+PzFcANmu9q8m/KFhThu8IWkBYysZb67a+utYT0F/m22q0sm/xJ/4RKE1qHrDcepHf9Cv8d1WYwmh84mzgwaWmyj7iRZuUHdS3anQbIxXaWnLhugs1FrPypw31/LDbety6O2TdTfxN8gdpSTIfa7TWCXu+AQtHiViyZVLeRIpKsYYvdGfUmbL1KnpEzIN0CgyFqies9DJ0lzdE=,iv:HdzmjH1B5zVS2l1EHJBnVTBotjWZldzV7ErVuDuyQKo=,tag:++0dfGGVTugAPm4NpoykeQ==,type:str]
|
||||
backup-bot-env: ENC[AES256_GCM,data:OG1VqtFVISGeZgZ9mKSBMLJgQpILriXDlWCuMVoiiX3/YObidOD781VZF5haWbAuVP68dIr0Fux8UExcJWyZsrw=,iv:74+UBOYeUHqw5WHBSLel9op+Jj3PzXiU5v5v15aNpMU=,tag:Ui30VnSTiLOi8siB9csCsw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6UXlPSEk0RmNMNmlpVUxo
|
||||
YXNZSVlDRDFpY1MxNi9MRThSVm9YbXEzK0JJCjdINXhhV00vS3ZBaWQxQ3NMdE4w
|
||||
N1JtbVpHRW1SbGE4UkhtUWVsanZ3TUEKLS0tIHJySXVCbXYxME41NFVET0pxMENs
|
||||
STNWcitXM0NQL3ZFdENDVGxzMEY2NFkKQp/XDzlkZP+pCEpcBfO9rMKZV/1qIv8T
|
||||
mpSV3924dwZ8XmyGhRUM7egMMJ8/2ifBhxNVoeccG1O7x3K/1R5bJg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WmVINVpudk5ON2UyUkFD
|
||||
bG1ianZoYVAydWJ5ZWdwUHNMZENneUpldmxNCk1qNVcvK2doeklkQzdFaTFDNDQy
|
||||
WU9TRERGT0g2RG55MnlLM04vaU81K0EKLS0tIERGQ205bHVzVCtoVVJUcnAwNU4z
|
||||
OGtvV3ZyVG1ManU5a2MyVXp2cTR4M0EKvyQ2AIju+tF+R4PRWyB6fnX0CJhQ+6Ug
|
||||
hP5d42y2XMhUaSGs1/K7Ad9XnMKt1com3fY5mCfpLYQyoklS+bGeKA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTVVSTHN2OWViVlRlQlNy
|
||||
cXZQVmZmbzI3anJWYXIrcGUrVFdkRURHRlZ3CmtJOHZNQWMxVEw0ZzhFb3BiTXVF
|
||||
bXUyZ3BhV0x0MWNzcVZ0Z3M5MFA5d28KLS0tIDdCQmxSbjIyQ0JUU1JFNnQ4b0Rj
|
||||
S25zUDAvbFhoa1F3UEFUOWRSQzJ3VEUKn9Fy2TxYKGliELukaUURj8HsEY6ty49f
|
||||
N1H4wqCKJSLJ5hM6YhtMosYrhaCjAoIHnp24iRihRL9ZoVwd0Azh3A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5bU1MSWRKMDFsU2tPNHdh
|
||||
ZFdOUndTYUN3bkMwVHBXSlo2anp4ZHJEWDJnClhVbTBjdWR1b3RZTnRaTEZITzZL
|
||||
V1BCMWIyS3lkL1N2dm1RUlVwN2ZOd0EKLS0tIHRuUzZidlBXb3R6RXlOV1pDUG9n
|
||||
eVJpeDEvenVMYW5FUzdyNmg0NUVmT2sKTVGZsXZw6ZsWkfS9b22JerQD3QyPX872
|
||||
tn+RuOH3/OjuXtEgAf6l0blEbAVZtWoaJeHIx2D9w5zB6EYWSkuUoQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-30T22:18:59Z"
|
||||
mac: ENC[AES256_GCM,data:0HBs76F4J4RALM1LHraqQFk11T/O+QcV3eJoDt4M/k1LnQSMmuQMwwGXqk9YW3uRwQ4fFR/3jCIFNge9qWmQPRId6dv1sFUHbUFFQXJpaOAa8BPDkTFHl3jZlqEnQTMNT73oP/SKOYTKB0h076zqY+bU7c/ymuLIYpfyGFV37xY=,iv:zk+67VYRFRauSK3AT8WQmc5F6Sf316Ba7Ev3iNm2ma0=,tag:9EESzZJBWW8yuZ2svcMuSQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
45
secrets/sops/sourcehut.yaml
Normal file
45
secrets/sops/sourcehut.yaml
Normal file
File diff suppressed because one or more lines are too long
47
secrets/sops/tank.yaml
Normal file
47
secrets/sops/tank.yaml
Normal file
|
@ -0,0 +1,47 @@
|
|||
home-assistant:
|
||||
prometheus-token: ENC[AES256_GCM,data:RcAjtXbaFwf3uJFO1/M15UXxK+Dae3kjwznYL9MBRDXbi9QLGPfmFKrV0su8G0GDpoAMZ8Eg/jdU5KuiGD7DL8bNzicpE4+CI/GWdDShLmw+Yj3H3bfUY+2E9ZOG0ZUUoeo5I+i1SH2LbKpAxVwt0z6LawArUVtK8LFSgYpHE3ACHCNcDOToJYbYHBcJjBIl+TWbFvRTzUPaKhreOn37bvmKhIRKI8GqC7jCa8qRhyMZYI/cv8W0,iv:rXpIaPkQVj7I69bdZ9d75VMhriGIm42Fwmmn1uUAgs8=,tag:ACoFQ4O7fUYffisvz9FvQQ==,type:str]
|
||||
restic:
|
||||
repo-password: ENC[AES256_GCM,data:Lpm3ewlYz5ZNHEqkT1Z8IuKo8t/AVgGeFpTwPahdCIY437lAhKuuXso6F9Yi9M9g4xv6zirX2UJ2hdqtnUH3oaSZZJGJo4xpTqx3EYQumQM3aF7zcCH31eQbynwWV3BuYlsRqRDI7NzP/EkuHqfTTm0xU8znBSLIkcMF6rTdavQ=,iv:zcGD0yroyyet80Z/9YQmB4i+72/OsY0AnN6qgP4ZihU=,tag:h2DduuJc+QQXXYwse7/Ryw==,type:str]
|
||||
nextcloud:
|
||||
#ENC[AES256_GCM,data:0vQ6wCqKtkDt8AiFObVEe0MQLxoWOYcrYn8sp2rDn50DyehAXQ==,iv://ePZvGMpgVTByRjTKXpc5SNPSQGAbFnmECPqZ7hxps=,tag:DASalULgBJtcFy8Zn99Pjw==,type:comment]
|
||||
842fd10d-4277-4f73-b37a-f2082987d0b3:
|
||||
secretfile: ENC[AES256_GCM,data:8iYXj6xZBJS2tAvJ9l7pQWdVsvwDtkHG8PopbeMlbfborJQEEXRTxgwMRaDSa9KvUzF+/IgnEnTLTxFjS+SuPm9E8boH4igIDK8eEJxbV178IleI4RqYFyulbtMquCFPQzIsNuR5219JSFwfFThcdL4H6WJbgG8YWECu6BqkNZMohEQfFXAV9zR+fb3K2ZdeVP09wYKu0a0VBcO8Xyvu/wmto71eFZ//x0L/c3sOnUEzmPnlVE9FRY4E7zFhVt+w6MoOOTRF1jwypavgs7pd/odW6GSF/9b+xRvmkt2OCHxTomXUa2i9d6Svchg/O7hLOAB3LgIarg==,iv:Hb27e9oBjJLZmlZ5xKiiZ9VwB6B2S3mXVx4egcvgCGM=,tag:uoa/nj5sAEcEZ5oXCuZIaA==,type:str]
|
||||
adminpass: ENC[AES256_GCM,data:SntQz/z73eiQxt5yskKZNJNkYifj4yqJ8+IDG+uOc9JseFhFdb++r55GTOWIKwXS8T/jYMM+l6KyZtOUM+hZjzHGKujvkuZ8CNOVLLedJUwhI6ysVSH2l3wZSVxNdVtx3b3iyVMwcOpvWZSz6tRJaUSrapFzASBvF7euiODZP8A=,iv:prW1yBa6mBTjIiZCSfVAu6/8Ea7542f30ibDnsX37nE=,tag:fLKjfeUoKwAmR+nK1u54Qg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldU9tSlk4Rm9qYk5xMkU5
|
||||
aFllMVlXMFVOZlA4WnV2eU1xWVBIalJTczBNCnNMMjl6d3B2WnhtMGdBV0J0WWk3
|
||||
eVdvNXhTT1pFWUFKWDAzd0xHVzNwbnMKLS0tIHNEQ29DN25nODRmYmhBVWJ2aXRW
|
||||
Sk43ajhwZll3L3NCWmZUbktxUFNUZXcKXNdUkkuor/0pCWzsWDpb7329D03qJOca
|
||||
W3nLFEApBkKFd/UE2duprkZMIfrTFiUowS0L3XUuaMoLXVZU2ftOqg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyS1d4Vk5oZWN4WGdxSmM1
|
||||
ZWFuSnFKZzBXWWxpdXZRSG44dmdLMnhpMUFrCmFzcFJqTEU3QUJ4Q20vTTRkR1ha
|
||||
cFRlamhQYzFML21mU1ZDYkFvVVlJMlkKLS0tIEl0TGp6YndCbjRWakNDTlA5R3F6
|
||||
aDRHM2hDelNHUjFCMk9xZlA1RGE4RXcKRMxp94CWD85NTFZZe6d/rlummb1SHHWu
|
||||
QaTuGfYv+sB/lzUmChujUc8UBjN9Rg9XHVgXhpIJE1dR/NSzK42Gbw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzS2VqOVdKNkcyRndML2Qv
|
||||
QVgyMWp0V281TUVJRU5BM05XRGFYMkJpeWpVCkVWZEptSUk3dVZHOVhZcWFXQ3B3
|
||||
M0ZCQXNuNFdpY2lLaFZET3ZnSHhsZEUKLS0tICtiM0krNEg1MjhqcXkvYUtxTnJo
|
||||
UklDUGdkWWxxVHhQTGdNL2hNRm94Sk0KdtYGJQdTzDO/CBB/4B1vEjgnCDuiTrJ3
|
||||
tshBxNWTCRUarMKYiCkxMAIXr/ws42rV5zSZeZLpuUZ1ny6fUG1z2A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-07T10:10:00Z"
|
||||
mac: ENC[AES256_GCM,data:+KTX7YUOpOzaQiON5m+eeS24MrPV+USvIyUbbXUlj1HT8ryfqP4pSof58po4S7rKD8xGVduYVGT5yFKZBXMe/pQXey0Y2vuxnG9zNX4Lc0wisvh2lxsQxLYzdcnnjR/YjGCRJDxX8+eQuGonR4EEe0aaf7x4zHL1xOY5aXLyE34=,iv:bp1W9AUeLHC0yro0ayCht9PV/rH6XhyXz/kZGRmOGxE=,tag:xHMw+g2L//PDjEW1cfPwZg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
40
secrets/sops/vaultwarden.yaml
Normal file
40
secrets/sops/vaultwarden.yaml
Normal file
|
@ -0,0 +1,40 @@
|
|||
vaultwarden:
|
||||
env: ENC[AES256_GCM,data:0Ayxqf30Gto5ek5l4ECbTrgwg7XVfA9L+viFX2FfHJsEfmAg4PY7aO/43JvQEfYOMz0Hnpus1bEDgUUSiuiRFB830GkQ9f/70GcMP8V4GjZyM0JDpOt7Mr585cWow0Z7zC4oGCXamFeFL0tsMZbtpWp0rftP/RBiK8zlLYT/ggJkC+6R6wtN7nqXpvwO+0ttyhsiB9oDLWnLawnxa2R6+zcd+r/Agk8eVG+yDrY=,iv:mH9MC80np5TVzN+u3IddBei05lye2oqH4CKFeBI2/hY=,tag:p5kBU3AQWsz7tlsznp6ZMg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETVJvWEtjUnNzMlZUMkYr
|
||||
QTk5bVhPYjBFWU5mRzJLR2RQUlFIK0ZaQnlNCnI3NnVIS2xRQUFkUVR0K0xWVExP
|
||||
WjB5S0Z6WlliOW9ORjk1ZnMxT1pvNzQKLS0tIHVxVFZSTDJlc2dSUUx2Z1V3QXI1
|
||||
N2FLTU1udTU5RU9ZNzhaNXAzcHcvMUUKyqiyDv/k7rQ+MLDlWdYAsHValDTK3jS8
|
||||
1V870Xhu3HYc1yMYrPw1PvNdQ5BHT+a18h4MRwhG/f2SyJUsvdo7bQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aE9qK2R3bVozTDRGNUtw
|
||||
KzBETkplaVB2aTJ6a052YUpGVWxTV2xaTm5BClhySjUrd1pqME5jS0ZMYW1FcVdw
|
||||
U1NwSHZHZ2VpQUlxT1VMU3lJdXFCM1UKLS0tIHVhcTBsbjVzVElSam16Y3RsWDdX
|
||||
S0FrN3dTdjFETzEweVdJTEJvNzlHYTQKUmggWKUhl1dXR2+gRyCpKG0sNf++zmnf
|
||||
2GGdj2UTNs2reAUaz/Q/Ytb37mZ1gNYNUCLiuGVAwmiAOYVKsoxD+w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSlFHdmY3VVlTWXA4VmpT
|
||||
aDlvYm1LajdrWjZvZGFXMDAxTGRnRXRCRkFjCkd2TDNpQVBhTWdCWXdmaEtHbExX
|
||||
TWJLL0R6R0l4ODVMRUVIemJmKzc5eUkKLS0tIHlaZE0wTExuaDdoQktDNzlhS25z
|
||||
b0VQbTV4QXJwbGxuSUY3UTltOE54cmsKPvF1SVinNyg55qWPJdKHrBjymVnG5Ovj
|
||||
/UaIg2/ZZTuycf2Vbpl22ICLWNjEQUJ/0p9Yqe/orXLUFd/27vsB6g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-03T13:14:32Z"
|
||||
mac: ENC[AES256_GCM,data:xRCSk5E/sl0A2//xh1Qi91whUrAeN/ZMHuxAVdSeT0YxKQWQ9RKMaQQzZAm/fiiQzeEhm45LLg24X5iPNeu3nQbEwO0CZlAuWLgDCYsIaw2mNtZKQSNl7W5hEwXamqlDqQVSjyctuQ70AZEacIixrnn+o2XABW8EZeExhvzDTGg=,iv:1p97jbZB0zHn6invGdjuy0q34P1ToMx+ZHyITfMGKJk=,tag:BD5ZjIRFJ0zYKg8YewLRWQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
53
secrets/sops/wireguard.yaml
Normal file
53
secrets/sops/wireguard.yaml
Normal file
|
@ -0,0 +1,53 @@
|
|||
wireguard:
|
||||
#ENC[AES256_GCM,data:OLWr/KieDmV+/dSiUBp2xs6gLSIo8g==,iv:Qzzsu4iYSd0AhNO+VWpiV4FZekQb/aaGK5QQbLguh5E=,tag:HqhA5VW1jiIizKrpQcNr8Q==,type:comment]
|
||||
5b2b3c29-2dcc-48cd-957c-c7e9d3d02d1d: ENC[AES256_GCM,data:OoexGaislazlqlabTSXKrj9eZOqd2V+IQw6jGOsbI7A99zWmZYLFmHH0Bng=,iv:1Uqcd16bnrt7tcAPZSntGXAUyQfZlWzNIDtBOeckVL0=,tag:ZOP8EqC1Vz6pV3OiybkypQ==,type:str]
|
||||
#ENC[AES256_GCM,data:o6ONW1W1c7gPnUZIb/+GcUYd8sH0VVS6,iv:JGFmr71CzrusnGF6qBI2ZPq9MjuhpM+KFU7e62A291o=,tag:kf4GKCI2fPmMd2ULsNCGYg==,type:comment]
|
||||
7f249c50-7b40-4657-972c-e0a5adc1e1fc: ENC[AES256_GCM,data:kTIXnvmHkzhm2vgiEH8Bcac1VqZzLDp8FJArd9vrIaSLg+BZkaz7U21buYs=,iv:5r7Aba02tBjWe6pevo9TRi5zYc6BNQ4DQdAp2IpcvZc=,tag:uxhlSFeQ7jG1Bnc8j2ZTTg==,type:str]
|
||||
#ENC[AES256_GCM,data:0EIWbVmp3xI3VMN8mnKzQbc6VUNCIgy4,iv:dungCF6Ovt3rxt8xf5T1e8j+FZGi7VISc70938dcLSI=,tag:7P/SFaLIbWNKMpYHhZiCGQ==,type:comment]
|
||||
da994091-27db-4547-a05c-c2bf4e6e87e9: ENC[AES256_GCM,data:k1Cqp9KE3PHOXe9H2Uy4AkcxzLQCkrQNSc+aLj45LI1ftJg/+4sdLKXk+/Y=,iv:hZO16KCfc/YmyOoLzE+n5qEeX/Qtgsg7ZHvbfd8JnhI=,tag:BLKJfQmHy8U6jzOIpNClxA==,type:str]
|
||||
#ENC[AES256_GCM,data:UuYULtcN+UHUIEVdLKYVis2B0O4ZaZ3c,iv:9sLo6QKMwDX3UWyBGEeRrhIN9Jm/aSvlPptxAO2hoyc=,tag:ZqwO3FG3zta/WSYwkIwqUA==,type:comment]
|
||||
b2b7693d-35ac-4c49-bc35-4b99b075d891: ENC[AES256_GCM,data:mo9axAdQ7hVepzT2bDDfc+L0Ju0R5hOUFJeoEi03ARTyNJux69tCgLUf6bI=,iv:KxMnQ1IttECX85HUvIQHmF4cEANnpzHVuCRpVC7dDkE=,tag:ZzjAKJAXR9porTVtVoTgLQ==,type:str]
|
||||
#ENC[AES256_GCM,data:/n/QFVcAVIonCSPWjFyBD6YZn+Rbr6dL,iv:i+dLc6SBshnght0ULDsRNYy2VP5CiKiMVN91q7TpcPM=,tag:EOwRpwUq56oj3LGX9QnD9w==,type:comment]
|
||||
fe1f7024-198e-43f0-8bd8-461a5565f424: ENC[AES256_GCM,data:2F2qo9NxfLtgnhimmF4niOcykgM3ZDYiy3kyjIzCXlD4+moHrLd7ae01wDg=,iv:Q6z779xQtcleJqWR5B831w1lFKIYuuGNK65HBaHFm9Q=,tag:wnL47S2S7o1xB1OWTjstyQ==,type:str]
|
||||
#ENC[AES256_GCM,data:6OUepIquZtsTJWl8L7+JXDIqNb/RimG3,iv:2sdUGTPG3ERfvzxldZI5J6vSSPmLk9eI7CwsrTTOyrU=,tag:r389p8njBW70LhkZSAr7Fw==,type:comment]
|
||||
7a57b7be-18d0-45e1-8432-a711d803358f: ENC[AES256_GCM,data:hR1VBdrHxVEWjfvtoZlFQTOSSW3E3oH1+hN40S1OhAOSScQOsn0pbQD4A60=,iv:26Woek+VoATD3ak9MP22fZr6kcfS8eWDlczulizGrkc=,tag:7Jkwwim/mXV7B9BX3DZp4A==,type:str]
|
||||
#ENC[AES256_GCM,data:ziJN0QffpjSBfGeAwvLM9hNrIwEB3v3sJf8=,iv:s2B14RLbiM8GxALb4GWiZvJFmnfRoJI6jAwv0BBRQ6s=,tag:qIBgaSDebDY0jp4Lje/xgA==,type:comment]
|
||||
a2ffe63a-d381-49ef-8cf2-deb469245582: ENC[AES256_GCM,data:3zospTsIAvR6+k6pTyPNabtaEvEISai9ZvaJk5l9S2owX4QmooQzQlm8CVk=,iv:iq96xIVybMD09dhE2n9ppI7wAwEqdOkSFOIu1gNdcfI=,tag:HHGbFSCCUKo2AINmY+CNOw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMlV2TFpxZVFkRjJ0R01S
|
||||
NGJMbWt0Y1lGUFoyRFUwS3UyMnY3Z3B5S0NJCkh1cHU3WU9Qc1VEblNqUFJqNEtS
|
||||
RVdBZ0YxM3Vnbi9IUDhyVHRCd3JWZXMKLS0tIE53aVBMNXRMcC9kMDQ4RHdKWEYv
|
||||
MnNEOXNjYVk2Z2JueXZ5Z1pDY0M5WE0KflcFLEX+7N4ptKNshQvrk5ogvM3hA0gc
|
||||
AadoiuqKaWbWnEv5jIa1UAYep4lwzguNXqBhMuGI5ywVRBrMSridHQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhV1N0enZJUUUyQzFVRnpy
|
||||
ZEtsKzRralgzR2JnRmxIV0ZhSFRpRGZtclFRCjJ6Y3JVZ0p5Rm95MVFXR1pUMjd3
|
||||
eUxPWFVWcFFFd3RlRVdRcm9lVGRCS3cKLS0tIFBPa1lmR0xnZlNWYWc4eTIwR1gy
|
||||
SnNScEdQR1FJTk4wSVhYMjVFeThXTUEKAeUIAIQFNVvDGRpG5DbuXOOIyowAdBuB
|
||||
gT78lwqP5nIhVyqIrO6qsz6WTYqbpueu85cDXwocMn1bP16/NsB9XA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvcUVPc3lzYkRSZ2duZHJs
|
||||
VmxDSHNURTlKMUtnWGRUcFgyVDUzaENKVW1JCjlJSjRMcjJMbnh2VlBEOVl0MzNh
|
||||
S3VwOGhSKzI0K3pER0hTTVE5MGdjclEKLS0tIEVDenArRGZHdnc3R3NnTmlrZjlu
|
||||
Y2F4OTROcjdzdlJTdnRZYXFxYlV2aVUK8sRR07aL3Ig3t39zqXxm+5igWG9xLXlo
|
||||
DXf8yCXNhpI22NWmGMmG79b9mw7rmkfc9rRsgZnj/BZsCHmRkvFUlQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-30T22:14:44Z"
|
||||
mac: ENC[AES256_GCM,data:eI1XcAhJVOvsaNFZN1SfsL/kTLDPHUbTR7Vdi6ipLT7vXfCmmbdj6LWy6lxEtsNlW4lGEX7i1vI7uh5/C0u2ijiWJjIkw/Ds5nbKGJXw7Bqll3fURrlG+2l1hOAXKghbXFh5BeZhVsGx7IGLVhUm64mZ1Z9AvWShW6wGpIWj6+c=,iv:MwuBIVpU+Zs4iRrP6/3haoEMX6FiFiPDK+NtiCJOoto=,tag:69iks/MDaKT93xfb7cBB9A==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
40
secrets/sops/zero.yaml
Normal file
40
secrets/sops/zero.yaml
Normal file
File diff suppressed because one or more lines are too long
|
@ -4,6 +4,11 @@ let
|
|||
toConfigFile = name: cfg: pkgs.writeText name (lib.generators.toYAML { } cfg);
|
||||
blackboxExporterCfg = config.services.prometheus.exporters.blackbox;
|
||||
in {
|
||||
sops.secrets."alertmanager/env" = {
|
||||
sopsFile = ../secrets/sops/alertmanager.yaml;
|
||||
restartUnits = [ "alertmanager.service" ];
|
||||
};
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
checkConfig = "syntax-only";
|
||||
|
@ -123,7 +128,7 @@ in {
|
|||
listenAddress = "[::1]";
|
||||
logLevel = "info";
|
||||
webExternalUrl = "https://alertmanager.${my.domain}";
|
||||
environmentFile = secrets.alertmanager-env.destination;
|
||||
environmentFile = secrets."alertmanager/env".path;
|
||||
checkConfig = false;
|
||||
configuration = {
|
||||
route = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, my, ... }:
|
||||
{ config, pkgs, my, secrets, ... }:
|
||||
|
||||
let
|
||||
conduitSettings = config.services.matrix-conduit.settings;
|
||||
|
@ -109,32 +109,30 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.restic.backups.matrix-conduit =
|
||||
let resticCfg = my.homelab.services.restic;
|
||||
in {
|
||||
inherit (resticCfg) environmentFile;
|
||||
initialize = true;
|
||||
repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
|
||||
passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
|
||||
paths = [
|
||||
"/var/backup/matrix-conduit/conduit.db.zst"
|
||||
"/var/lib/matrix-conduit/media"
|
||||
];
|
||||
timerConfig.OnCalendar = "*-*-* 4:05:00"; # daily at 04:05
|
||||
backupPrepareCommand = ''
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
f=$(mktemp)
|
||||
services.restic.backups.matrix-conduit = {
|
||||
environmentFile = secrets."restic/rest-env".path;
|
||||
initialize = true;
|
||||
repository =
|
||||
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
|
||||
passwordFile = secrets."restic/repo-password".path;
|
||||
paths = [
|
||||
"/var/backup/matrix-conduit/conduit.db.zst"
|
||||
"/var/lib/matrix-conduit/media"
|
||||
];
|
||||
timerConfig.OnCalendar = "*-*-* 4:05:00"; # daily at 04:05
|
||||
backupPrepareCommand = ''
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
f=$(mktemp)
|
||||
|
||||
# consistency is provided by the internal locking of sqlite
|
||||
${pkgs.sqlite}/bin/sqlite3 /var/lib/matrix-conduit/conduit.db ".backup $f"
|
||||
${pkgs.zstd}/bin/zstd --compress -9 --rm --force \
|
||||
-o /var/backup/matrix-conduit/conduit.db.zst $f
|
||||
'';
|
||||
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
||||
name = "matrix-conduit";
|
||||
inherit pkgs;
|
||||
inherit (my.notifications.backup-bot) environmentFile;
|
||||
};
|
||||
# consistency is provided by the internal locking of sqlite
|
||||
${pkgs.sqlite}/bin/sqlite3 /var/lib/matrix-conduit/conduit.db ".backup $f"
|
||||
${pkgs.zstd}/bin/zstd --compress -9 --rm --force \
|
||||
-o /var/backup/matrix-conduit/conduit.db.zst $f
|
||||
'';
|
||||
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
||||
name = "matrix-conduit";
|
||||
inherit pkgs secrets;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,6 +1,12 @@
|
|||
{ config, my, pkgs, secrets, ... }:
|
||||
|
||||
{
|
||||
sops.secrets."grafana/secret-key" = {
|
||||
sopsFile = ../secrets/sops/grafana.yaml;
|
||||
owner = "grafana";
|
||||
restartUnits = [ "grafana.service" ];
|
||||
};
|
||||
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
declarativePlugins = with pkgs.grafanaPlugins; [ ];
|
||||
|
@ -19,7 +25,7 @@
|
|||
enforce_domain = true;
|
||||
};
|
||||
security = {
|
||||
secret_key = "$__file{${secrets.grafana-secret-key.destination}}";
|
||||
secret_key = "$__file{${secrets."grafana/secret-key".path}}";
|
||||
disable_gravatar = true;
|
||||
cookie_secure = true;
|
||||
content_security_policy = true;
|
||||
|
|
|
@ -1,7 +1,22 @@
|
|||
{ my, pkgs, secrets, ... }:
|
||||
|
||||
let trimNewlines = builtins.replaceStrings [ "\n" ] [ "" ];
|
||||
let
|
||||
trimNewlines = builtins.replaceStrings [ "\n" ] [ "" ];
|
||||
mosquittoSecret = {
|
||||
sopsFile = ../secrets/sops/home-assistant.yaml;
|
||||
owner = "mosquitto";
|
||||
restartUnits = [ "mosquitto.service" ];
|
||||
};
|
||||
in {
|
||||
# https://nixos.wiki/wiki/Home-assistant#OpenSSL_1.1_is_marked_as_insecure.2C_refusing_to_evaluate
|
||||
nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
|
||||
|
||||
sops.secrets."home-assistant/automation-sshkey" = {
|
||||
sopsFile = ../secrets/sops/home-assistant.yaml;
|
||||
owner = "hass";
|
||||
restartUnits = [ "home-assistant.service" ];
|
||||
};
|
||||
|
||||
services.home-assistant = {
|
||||
enable = true;
|
||||
config = {
|
||||
|
@ -41,7 +56,7 @@ in {
|
|||
schedule = { };
|
||||
shell_command.poweroff_zero = trimNewlines ''
|
||||
${pkgs.openssh}/bin/ssh
|
||||
-i ${secrets.automation-sshkey.destination}
|
||||
-i ${secrets."home-assistant/automation-sshkey".path}
|
||||
-o StrictHostKeyChecking=no
|
||||
automation@zero poweroff
|
||||
'';
|
||||
|
@ -78,6 +93,9 @@ in {
|
|||
|
||||
systemd.services.home-assistant.after = [ "postgresql.service" ];
|
||||
|
||||
sops.secrets."mosquitto/home-assistant-password" = mosquittoSecret;
|
||||
sops.secrets."mosquitto/tasmota-password" = mosquittoSecret;
|
||||
|
||||
services.mosquitto = {
|
||||
enable = true;
|
||||
listeners = [
|
||||
|
@ -85,8 +103,7 @@ in {
|
|||
address = "::1";
|
||||
users.homeassistant = {
|
||||
acl = [ "readwrite #" ];
|
||||
hashedPasswordFile =
|
||||
secrets.mosquitto-home-assistant-password.destination;
|
||||
hashedPasswordFile = secrets."mosquitto/home-assistant-password".path;
|
||||
};
|
||||
}
|
||||
{
|
||||
|
@ -98,7 +115,7 @@ in {
|
|||
];
|
||||
users.tasmota = {
|
||||
acl = [ "write tasmota/discovery/#" ];
|
||||
hashedPasswordFile = secrets.mosquitto-tasmota-password.destination;
|
||||
hashedPasswordFile = secrets."mosquitto/tasmota-password".path;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, my, ... }:
|
||||
{ config, secrets, ... }:
|
||||
|
||||
let
|
||||
conduitCfg = config.services.matrix-conduit.settings.global;
|
||||
|
@ -11,11 +11,20 @@ let
|
|||
resources = [ "webhooks" ];
|
||||
};
|
||||
in {
|
||||
sops.secrets = builtins.listToAttrs (map (n: {
|
||||
name = "matrix-hookshot/${n}";
|
||||
value = {
|
||||
sopsFile = ../secrets/sops/matrix-hookshot.yaml;
|
||||
owner = config.services.matrix-hookshot.user;
|
||||
restartUnits = [ "matrix-hookshot.service" ];
|
||||
};
|
||||
}) [ "env" "passfile" ]);
|
||||
|
||||
services.matrix-hookshot = {
|
||||
enable = true;
|
||||
inherit (my.services.matrix-hookshot) environmentFile;
|
||||
environmentFile = secrets."matrix-hookshot/env".path;
|
||||
settings = {
|
||||
inherit (my.services.matrix-hookshot) passFile;
|
||||
passFile = secrets."matrix-hookshot/passfile".path;
|
||||
bridge = {
|
||||
domain = conduitCfg.server_name;
|
||||
url = "http://[${conduitCfg.address}]:${toString conduitCfg.port}";
|
||||
|
|
|
@ -1,10 +1,16 @@
|
|||
{ config, my, pkgs, secrets, ... }:
|
||||
|
||||
{
|
||||
sops.secrets."navidrome/env" = {
|
||||
sopsFile = ../secrets/sops/navidrome.yaml;
|
||||
restartUnits = [ "navidrome.service" ];
|
||||
};
|
||||
|
||||
services.navidrome = {
|
||||
enable = true;
|
||||
settings = {
|
||||
Address = "[::1]";
|
||||
BaseUrl = "https://music.${my.domain}";
|
||||
FFmpegPath = "${pkgs.ffmpeg}/bin/ffmpeg";
|
||||
ImageCacheSize = "500MB";
|
||||
ScanSchedule = "@every 10m";
|
||||
|
@ -13,29 +19,27 @@
|
|||
};
|
||||
|
||||
systemd.services.navidrome.serviceConfig.EnvironmentFile =
|
||||
[ secrets.navidrome-env.destination ];
|
||||
[ secrets."navidrome/env".path ];
|
||||
|
||||
services.restic.backups.navidrome =
|
||||
let resticCfg = my.homelab.services.restic;
|
||||
in {
|
||||
inherit (resticCfg) environmentFile;
|
||||
initialize = true;
|
||||
repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
|
||||
passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
|
||||
paths = [ "/var/backup/navidrome.sql.zst" ];
|
||||
timerConfig.OnCalendar = "*-*-* 4:10:00"; # daily at 04:10
|
||||
backupPrepareCommand = ''
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
# consistency is provided by the internal locking of sqlite
|
||||
${pkgs.sqlite}/bin/sqlite3 /var/lib/navidrome/navidrome.db .dump \
|
||||
| ${pkgs.zstd}/bin/zstd --compress -9 \
|
||||
>/var/backup/navidrome.sql.zst
|
||||
'';
|
||||
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
||||
name = "navidrome";
|
||||
inherit pkgs;
|
||||
inherit (my.notifications.backup-bot) environmentFile;
|
||||
};
|
||||
services.restic.backups.navidrome = {
|
||||
environmentFile = secrets."restic/rest-env".path;
|
||||
initialize = true;
|
||||
repository =
|
||||
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
|
||||
passwordFile = secrets."restic/repo-password".path;
|
||||
paths = [ "/var/backup/navidrome.sql.zst" ];
|
||||
timerConfig.OnCalendar = "*-*-* 4:10:00"; # daily at 04:10
|
||||
backupPrepareCommand = ''
|
||||
set -euo pipefail
|
||||
umask 0077
|
||||
# consistency is provided by the internal locking of sqlite
|
||||
${pkgs.sqlite}/bin/sqlite3 /var/lib/navidrome/navidrome.db .dump \
|
||||
| ${pkgs.zstd}/bin/zstd --compress -9 \
|
||||
>/var/backup/navidrome.sql.zst
|
||||
'';
|
||||
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
||||
name = "navidrome";
|
||||
inherit pkgs secrets;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,6 +1,13 @@
|
|||
{ config, pkgs, secrets, ... }:
|
||||
|
||||
{
|
||||
sops.secrets."acme/token" = {
|
||||
sopsFile = ../secrets/sops/acme.yaml;
|
||||
owner = "acme";
|
||||
inherit (config.security.acme.defaults) group;
|
||||
mode = "0440";
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
enableReload = true;
|
||||
|
@ -17,12 +24,19 @@
|
|||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults = {
|
||||
dnsProvider = "hetzner";
|
||||
dnsResolver = "hydrogen.ns.hetzner.com:53";
|
||||
reloadServices = [ "nginx" ];
|
||||
environmentFile = secrets.hetzner-acme.destination;
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
email = "contact@christoph-heiss.at";
|
||||
dnsProvider = "hetzner";
|
||||
dnsResolver = "hydrogen.ns.hetzner.com:53";
|
||||
reloadServices = [ "nginx" ];
|
||||
environmentFile = secrets."acme/token".path;
|
||||
};
|
||||
certs."c8h4.io" = {
|
||||
domain = "*.c8h4.io";
|
||||
extraDomainNames = [ "c8h4.io" ];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.nginx = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, my, pkgs, ... }:
|
||||
{ config, lib, my, pkgs, secrets, ... }:
|
||||
|
||||
let
|
||||
paperlessEnv = config.services.paperless.settings;
|
||||
|
@ -67,23 +67,21 @@ in {
|
|||
|
||||
users.users.paperless.extraGroups = [ "restic-backup" ];
|
||||
|
||||
services.restic.backups.paperless-media =
|
||||
let resticCfg = my.homelab.services.restic;
|
||||
in {
|
||||
inherit (resticCfg) environmentFile;
|
||||
initialize = true;
|
||||
repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
|
||||
passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
|
||||
user = "paperless";
|
||||
paths = [
|
||||
"/var/lib/paperless/media/documents"
|
||||
"/var/lib/paperless/classification_model.pickle"
|
||||
];
|
||||
timerConfig.OnCalendar = "*-*-* 4:00:00"; # daily at 04:00
|
||||
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
||||
name = "paperless-media";
|
||||
inherit pkgs;
|
||||
inherit (my.notifications.backup-bot) environmentFile;
|
||||
};
|
||||
services.restic.backups.paperless-media = {
|
||||
environmentFile = secrets."restic/rest-env".path;
|
||||
initialize = true;
|
||||
repository =
|
||||
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
|
||||
passwordFile = secrets."restic/repo-password".path;
|
||||
user = "paperless";
|
||||
paths = [
|
||||
"/var/lib/paperless/media/documents"
|
||||
"/var/lib/paperless/classification_model.pickle"
|
||||
];
|
||||
timerConfig.OnCalendar = "*-*-* 4:00:00"; # daily at 04:00
|
||||
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
||||
name = "paperless-media";
|
||||
inherit pkgs secrets;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, my, pkgs, ... }:
|
||||
{ config, lib, my, pkgs, secrets, ... }:
|
||||
|
||||
{
|
||||
services.postgresql = {
|
||||
|
@ -17,20 +17,18 @@
|
|||
|
||||
users.users.postgres.extraGroups = [ "restic-backup" ];
|
||||
|
||||
services.restic.backups.postgresql-15 =
|
||||
let resticCfg = my.homelab.services.restic;
|
||||
in {
|
||||
inherit (resticCfg) environmentFile;
|
||||
initialize = true;
|
||||
repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
|
||||
passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
|
||||
user = "postgres";
|
||||
paths = [ "/var/backup/postgresql/all.sql.zstd" ];
|
||||
timerConfig.OnCalendar = "*-*-* 4:30:00"; # daily at 04:30
|
||||
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
||||
name = "postgresql-15";
|
||||
inherit pkgs;
|
||||
inherit (my.notifications.backup-bot) environmentFile;
|
||||
};
|
||||
services.restic.backups.postgresql-15 = {
|
||||
environmentFile = secrets."restic/rest-env".path;
|
||||
initialize = true;
|
||||
repository =
|
||||
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
|
||||
passwordFile = secrets."restic/repo-password".path;
|
||||
user = "postgres";
|
||||
paths = [ "/var/backup/postgresql/all.sql.zstd" ];
|
||||
timerConfig.OnCalendar = "*-*-* 4:30:00"; # daily at 04:30
|
||||
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
||||
name = "postgresql-15";
|
||||
inherit pkgs secrets;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -43,7 +43,7 @@
|
|||
scrape_interval = "60s";
|
||||
metrics_path = "/api/prometheus";
|
||||
authorization.credentials_file =
|
||||
secrets.homeassistant-prometheus-token.destination;
|
||||
secrets."home-assistant/prometheus-token".path;
|
||||
static_configs = [{
|
||||
targets = [ "tank:${toString my.services.home-assistant.port}" ];
|
||||
}];
|
||||
|
|
12
services/restic-client.nix
Normal file
12
services/restic-client.nix
Normal file
|
@ -0,0 +1,12 @@
|
|||
{
|
||||
sops.secrets = builtins.listToAttrs (map (n: {
|
||||
name = "restic/${n}";
|
||||
value = {
|
||||
sopsFile = ../secrets/sops/restic.yaml;
|
||||
group = "restic-backup";
|
||||
mode = "0440";
|
||||
};
|
||||
}) [ "rest-env" "backup-bot-env" ]);
|
||||
|
||||
users.groups.restic-backup = { };
|
||||
}
|
|
@ -1,13 +1,37 @@
|
|||
{ config, my, pkgs, ... }:
|
||||
{ config, my, pkgs, secrets, ... }:
|
||||
|
||||
let
|
||||
secretsPath = "/var/secrets/sourcehut";
|
||||
inherit (my) domain;
|
||||
fqdn = "srht.${domain}";
|
||||
inherit (import ../sources.nix) sourcehutPkgs;
|
||||
srhtServices = [
|
||||
"metasrht"
|
||||
"metasrht-api"
|
||||
"metasrht-daily"
|
||||
"metasrht-webhooks"
|
||||
"gitsrht"
|
||||
"gitsrht-api"
|
||||
"gitsrht-periodic"
|
||||
"gitsrht-webhooks"
|
||||
];
|
||||
secretNames = [
|
||||
"network-key"
|
||||
"service-key"
|
||||
"oauth-client-secret"
|
||||
"webhooks-privkey"
|
||||
"pgp-pubkey"
|
||||
"pgp-privkey"
|
||||
];
|
||||
in {
|
||||
disabledModules = [ "services/misc/sourcehut" ];
|
||||
imports = [ (sourcehutPkgs + /nixos/modules/services/misc/sourcehut) ];
|
||||
sops.secrets = builtins.listToAttrs (map (n: {
|
||||
name = "sourcehut/${n}";
|
||||
value = {
|
||||
sopsFile = ../secrets/sops/sourcehut.yaml;
|
||||
owner = "root";
|
||||
group = "sourcehut";
|
||||
mode = "0440";
|
||||
restartUnits = map (srv: "${srv}.service") srhtServices;
|
||||
};
|
||||
}) secretNames);
|
||||
|
||||
services.sourcehut = {
|
||||
enable = true;
|
||||
|
@ -34,8 +58,8 @@ in {
|
|||
global-domain = fqdn;
|
||||
owner-name = "Christoph Heiss";
|
||||
owner-email = "christoph@c8h4.io";
|
||||
network-key = "${secretsPath}/network-key";
|
||||
service-key = "${secretsPath}/service-key";
|
||||
network-key = secrets."sourcehut/network-key".path;
|
||||
service-key = secrets."sourcehut/service-key".path;
|
||||
};
|
||||
|
||||
"meta.sr.ht".origin = "https://meta.${fqdn}";
|
||||
|
@ -47,7 +71,7 @@ in {
|
|||
|
||||
"git.sr.ht" = {
|
||||
oauth-client-id = fqdn;
|
||||
oauth-client-secret = "${secretsPath}/oauth-client-secret";
|
||||
oauth-client-secret = secrets."sourcehut/oauth-client-secret".path;
|
||||
outgoing-domain = "https://git.${fqdn}";
|
||||
origin = "https://git.${fqdn}";
|
||||
};
|
||||
|
@ -55,56 +79,48 @@ in {
|
|||
mail = {
|
||||
smtp-from = "srht@c8h4.io";
|
||||
pgp-key-id = "6C28803321A0F6C53B78A2AF3D84AB70408524DD";
|
||||
pgp-pubkey = "${secretsPath}/pgp-pubkey";
|
||||
pgp-privkey = "${secretsPath}/pgp-privkey";
|
||||
pgp-pubkey = secrets."sourcehut/pgp-pubkey".path;
|
||||
pgp-privkey = secrets."sourcehut/pgp-privkey".path;
|
||||
};
|
||||
|
||||
webhooks.private-key = "${secretsPath}/webhooks-private-key";
|
||||
webhooks.private-key = secrets."sourcehut/webhooks-privkey".path;
|
||||
};
|
||||
};
|
||||
|
||||
security.acme.certs."c8h4.io".extraDomainNames = [ "*.${fqdn}" ];
|
||||
|
||||
# Binds the sourcehut secrets path read-only into services that require them
|
||||
systemd.services = let
|
||||
services = [
|
||||
"metasrht"
|
||||
"metasrht-api"
|
||||
"metasrht-daily"
|
||||
"metasrht-webhooks"
|
||||
"gitsrht"
|
||||
"gitsrht-api"
|
||||
"gitsrht-periodic"
|
||||
"gitsrht-webhooks"
|
||||
];
|
||||
in builtins.listToAttrs (map (name: {
|
||||
systemd.services = builtins.listToAttrs (map (name: {
|
||||
inherit name;
|
||||
value.serviceConfig.BindReadOnlyPaths = [ secretsPath ];
|
||||
}) services);
|
||||
value.serviceConfig.BindReadOnlyPaths =
|
||||
map (n: secrets."sourcehut/${n}".path) secretNames;
|
||||
}) srhtServices);
|
||||
|
||||
services.openssh.settings.AllowUsers = [ "git" ];
|
||||
|
||||
users.groups.sourcehut = { };
|
||||
|
||||
users.users = {
|
||||
git = {
|
||||
# Disable login for `git` user
|
||||
password = "*";
|
||||
extraGroups = [ "restic-backup" ];
|
||||
extraGroups = [ "restic-backup" "sourcehut" ];
|
||||
};
|
||||
metasrht.extraGroups = [ "sourcehut" ];
|
||||
};
|
||||
|
||||
services.restic.backups.gitsrht = let resticCfg = my.homelab.services.restic;
|
||||
in {
|
||||
inherit (resticCfg) environmentFile;
|
||||
services.restic.backups.gitsrht = {
|
||||
environmentFile = secrets."restic/rest-env".path;
|
||||
initialize = true;
|
||||
repository = "${resticCfg.repositoryBase}/${config.networking.hostName}";
|
||||
passwordFile = "/var/secrets/restic/repo/${config.networking.hostName}";
|
||||
repository =
|
||||
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
|
||||
passwordFile = secrets."restic/repo-password".path;
|
||||
user = "git";
|
||||
paths = [ "/var/lib/sourcehut/gitsrht" ];
|
||||
timerConfig.OnCalendar = "*-*-* 4:15:00"; # daily at 04:15
|
||||
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
||||
name = "gitsrht";
|
||||
inherit pkgs;
|
||||
inherit (my.notifications.backup-bot) environmentFile;
|
||||
inherit pkgs secrets;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,12 +1,18 @@
|
|||
{ lib, my, secrets, ... }:
|
||||
|
||||
{
|
||||
sops.secrets."vaultwarden/env" = {
|
||||
sopsFile = ../secrets/sops/vaultwarden.yaml;
|
||||
owner = "vaultwarden";
|
||||
restartUnits = [ "vaultwarden.service" ];
|
||||
};
|
||||
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
environmentFile = secrets.vaultwarden-env.destination;
|
||||
environmentFile = secrets."vaultwarden/env".path;
|
||||
dbBackend = "postgresql";
|
||||
config = {
|
||||
DOMAIN = "https://vaultwarden.${my.domain}";
|
||||
DOMAIN = "https://vault.${my.domain}";
|
||||
DATA_FOLDER = "/var/lib/vaultwarden";
|
||||
DATABASE_URL = "postgresql:///vaultwarden";
|
||||
SIGNUPS_ALLOWED = false;
|
||||
|
|
33
sources.nix
33
sources.nix
|
@ -1,33 +0,0 @@
|
|||
let
|
||||
sourcehutPkgs = fetchGit {
|
||||
name = "nixpkgs-sourcehut-updated";
|
||||
url = "https://github.com/christoph-heiss/nixpkgs";
|
||||
ref = "refs/heads/sourcehut-fix";
|
||||
rev = "6729c6c653f17a5f9f1dcf5439d3e98652406042";
|
||||
};
|
||||
in {
|
||||
defaultPkgs = fetchGit {
|
||||
name = "nixos-unstable";
|
||||
url = "https://github.com/NixOS/nixpkgs";
|
||||
ref = "refs/heads/nixos-unstable";
|
||||
rev = "bdeca2c42d6c16adc216ffb87bbe27ebebbd5705"; # 31-03-2024
|
||||
};
|
||||
|
||||
homeManager = fetchGit {
|
||||
name = "nixos-home-manager-unstable";
|
||||
url = "https://github.com/nix-community/home-manager";
|
||||
ref = "refs/heads/master";
|
||||
rev = "820be197ccf3adaad9a8856ef255c13b6cc561a6"; # 31-03-2024
|
||||
};
|
||||
|
||||
inherit sourcehutPkgs;
|
||||
|
||||
overlays = [
|
||||
(import ./pkgs)
|
||||
(self: super: {
|
||||
vimPlugins = super.vimPlugins
|
||||
// (import ./pkgs/vim-plugins.nix self super);
|
||||
})
|
||||
(_: _: { inherit (import sourcehutPkgs { }) sourcehut; })
|
||||
];
|
||||
}
|
|
@ -1,9 +1 @@
|
|||
let inherit (import ../../sources.nix) homeManager;
|
||||
in {
|
||||
imports = [ (import "${homeManager}/nixos") ];
|
||||
|
||||
home-manager.useUserPackages = true;
|
||||
home-manager.useGlobalPkgs = true;
|
||||
|
||||
home-manager.users.christoph.imports = [ ./common.nix ];
|
||||
}
|
||||
{ home-manager.users.christoph.imports = [ ./common.nix ]; }
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
backgroundImgPath = "~/.local/share/sway/background.jpg";
|
||||
|
||||
setSinkVolume = pkgs.writeShellApplication {
|
||||
name = "set-sink-volume";
|
||||
runtimeInputs = with pkgs; [ bc jq pulseaudio ];
|
||||
|
@ -174,7 +172,8 @@ in {
|
|||
repeat_delay = "150";
|
||||
repeat_rate = "50";
|
||||
};
|
||||
output."*".background = "${backgroundImgPath} fill #5fb2d0";
|
||||
output."*".background =
|
||||
"${pkgs.sway-background-image}/share/background.jpg fill #5fb2d0";
|
||||
seat."*" = { hide_cursor = "when-typing enable"; };
|
||||
left = "d";
|
||||
down = "h";
|
||||
|
@ -192,8 +191,6 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
xdg.dataFile."sway/background.jpg".source = ../../extra/sway/background.jpg;
|
||||
|
||||
services.swayidle = {
|
||||
enable = true;
|
||||
events = [{
|
||||
|
@ -218,7 +215,7 @@ in {
|
|||
settings = {
|
||||
daemonize = true;
|
||||
ignore-empty-password = true;
|
||||
image = backgroundImgPath;
|
||||
image = "${pkgs.sway-background-image}/share/background.jpg";
|
||||
scaling = "fill";
|
||||
show-keyboard-layout = true;
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue